Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
REMITTANCE DETAILS....xlsx

Overview

General Information

Sample name:REMITTANCE DETAILS....xlsx
Analysis ID:1624971
MD5:7a1977f7be57db4654fdd262d5159ba1
SHA1:305bf321f8ace1e709a69ac216c1af28192bb74f
SHA256:90a947ea45b176ce0aea06857bc18802b72ccc76b5a067fbac2b271d591a6d5c
Infos:

Detection

HTMLPhisher, Invisible JS
Score:84
Range:0 - 100
Confidence:100%

Signatures

AI detected phishing page
Yara detected HtmlPhish29
Yara detected Invisible JS
Yara detected Obfuscation Via HangulCharacter
AI detected landing page (webpage, office document or email)
AI detected suspicious Javascript
Tries to detect the country of the analysis system (by using the IP)
Connects to many different domains
Detected clear text password fields (password is not hidden)
HTML page contains hidden javascript code
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64_ra
  • EXCEL.EXE (PID: 2904 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\REMITTANCE DETAILS....xlsx" MD5: 4A871771235598812032C822E6F68F19)
    • chrome.exe (PID: 2784 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://form.questionscout.com/67b5bc1a1a5964e3bafd5939 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
      • chrome.exe (PID: 6452 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1984,i,3289712561575310774,16944066909727599253,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
    • splwow64.exe (PID: 1888 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • firefox.exe (PID: 5240 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
    • firefox.exe (PID: 3944 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • firefox.exe (PID: 7140 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2248 -prefMapHandle 2232 -prefsLen 25250 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6b7dcc4-5f21-4fa8-9fbd-5a78401b259a} 3944 "\\.\pipe\gecko-crash-server-pipe.3944" 25f1396e510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • firefox.exe (PID: 1528 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4056 -parentBuildID 20230927232528 -prefsHandle 4048 -prefMapHandle 4040 -prefsLen 25416 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7693232a-b44b-4380-8efc-bc41f6f1c2ea} 3944 "\\.\pipe\gecko-crash-server-pipe.3944" 25f244f5910 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Yara Signatures

HTML

SourceRuleDescriptionAuthorStrings
0.0.id.script.csvJoeSecurity_HtmlPhish_29Yara detected HtmlPhish_29Joe Security
    1.0.pages.csvJoeSecurity_HtmlPhish_29Yara detected HtmlPhish_29Joe Security
      1.1.pages.csvJoeSecurity_HtmlPhish_29Yara detected HtmlPhish_29Joe Security
        1.2.pages.csvJoeSecurity_HtmlPhish_29Yara detected HtmlPhish_29Joe Security
          1.3.pages.csvJoeSecurity_HtmlPhish_29Yara detected HtmlPhish_29Joe Security
            Click to see the 5 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-02-26T17:49:18.675075+010020283713Unknown Traffic192.168.2.185001313.107.246.60443TCP
            2025-02-26T17:49:23.442180+010020283713Unknown Traffic192.168.2.185003213.107.246.60443TCP
            2025-02-26T17:49:23.457983+010020283713Unknown Traffic192.168.2.185003313.107.246.60443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: geolocation-db.com

            Phishing

            barindex
            AI detected phishing page
            Source: https://form.questionscout.com/67b5bc1a1a5964e3bafd5939Joe Sandbox AI: Score: 9 Reasons: The brand 'Microsoft Office' is well-known and typically associated with the domain 'office.com'., The URL 'form.questionscout.com' does not match the legitimate domain for Microsoft Office., The domain 'questionscout.com' is not associated with Microsoft Office and appears to be a third-party service., The presence of input fields for 'EMAIL ADDRESS' and 'PASSWORD' on a non-legitimate domain is suspicious and indicative of phishing. DOM: 1.0.pages.csv
            Yara detected HtmlPhish29
            Source: Yara matchFile source: 0.0.id.script.csv, type: HTML
            Source: Yara matchFile source: 1.0.pages.csv, type: HTML
            Source: Yara matchFile source: 1.1.pages.csv, type: HTML
            Source: Yara matchFile source: 1.2.pages.csv, type: HTML
            Source: Yara matchFile source: 1.3.pages.csv, type: HTML
            Source: Yara matchFile source: 1.7.pages.csv, type: HTML
            Yara detected Invisible JS
            Source: Yara matchFile source: 0.4.id.script.csv, type: HTML
            Source: Yara matchFile source: 2.4.pages.csv, type: HTML
            Yara detected Obfuscation Via HangulCharacter
            Source: Yara matchFile source: 0.4.id.script.csv, type: HTML
            Source: Yara matchFile source: 2.4.pages.csv, type: HTML
            AI detected landing page (webpage, office document or email)
            Source: Office documentJoe Sandbox AI: Page contains button: 'View Now' Source: 'Office document'
            Source: Office documentJoe Sandbox AI: Office document contains prominent button: 'view now'
            AI detected suspicious Javascript
            Source: 0.5.id.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://rvxp.ulayetand.ru/chiTL/... This script exhibits several high-risk behaviors that indicate potential malicious intent. It uses the `atob()` function to decode a base64-encoded HTML string and dynamically writes it to the document, which could be used to inject arbitrary content. Additionally, it removes the current script element from the DOM, suggesting an attempt to hide its presence. The script also sets up event listeners and timers to manipulate the DOM, which could be used for further malicious activities. Overall, the combination of dynamic code execution, DOM manipulation, and potential data exfiltration (based on the `FormData` object creation) suggests a high-risk script that requires further investigation.
            Source: 0.4.id.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://rvxp.ulayetand.ru/chiTL/... This script demonstrates several high-risk behaviors, including dynamic code execution using `eval`, data exfiltration through obfuscated URLs, and aggressive DOM manipulation. The combination of these factors indicates a highly suspicious and potentially malicious script that should be investigated further.
            Source: 0.3.id.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://rvxp.ulayetand.ru/chiTL/... This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The use of `eval` and the decoding of a base64-encoded string suggest the potential for malicious activity. Additionally, the script appears to be interacting with an untrusted domain, further increasing the risk. Overall, this script exhibits a high level of suspicious behavior and should be treated with caution.
            Source: https://form.questionscout.com/67b5bc1a1a5964e3bafd5939HTTP Parser: <input type="text"... for password input
            Source: https://rvxp.ulayetand.ru/chiTL/HTTP Parser: Base64 decoded: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>AI Technology</title> <style> body { font-family: 'Orbitron', sans-serif; ...
            Source: https://rvxp.ulayetand.ru/chiTL/HTTP Parser: No favicon
            Source: https://rvxp.ulayetand.ru/chiTL/HTTP Parser: No favicon
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries
            Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.18:50073 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.18:50076 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.18:50080 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.18:50086 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.18:50090 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.18:50089 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.18:50095 version: TLS 1.2
            Source: excel.exeMemory has grown: Private usage: 24MB later: 43MB
            Source: chrome.exeMemory has grown: Private usage: 6MB later: 30MB
            Source: firefox.exeMemory has grown: Private usage: 1MB later: 96MB
            Source: unknownNetwork traffic detected: DNS query count 41
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.18:50013 -> 13.107.246.60:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.18:50033 -> 13.107.246.60:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.18:50032 -> 13.107.246.60:443
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.140
            Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.140
            Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.140
            Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.140
            Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.140
            Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.140
            Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.140
            Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.140
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.140
            Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
            Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.140
            Source: unknownTCP traffic detected without corresponding DNS query: 184.30.131.245
            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.214.10
            Source: global trafficHTTP traffic detected: GET /67b5bc1a1a5964e3bafd5939 HTTP/1.1Host: form.questionscout.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /static/css/bundle.463f0bf5.css HTTP/1.1Host: form.questionscout.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://form.questionscout.com/67b5bc1a1a5964e3bafd5939Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /static/js/bundle.bff5e9a1.js HTTP/1.1Host: form.questionscout.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://form.questionscout.com/67b5bc1a1a5964e3bafd5939Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /forms-images/67b5bc1a1a5964e3bafd5939/67b5bc6feed07f5e995ab5b4.jpeg?hash=1739963505380 HTTP/1.1Host: d3djdih2k2vfi2.cloudfront.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://form.questionscout.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /forms-images/67b5bc1a1a5964e3bafd5939/67b5bd6eeed07f5e995ab5cd.jpeg?hash=1739963759895 HTTP/1.1Host: d3djdih2k2vfi2.cloudfront.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://form.questionscout.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /static/js/bundle.bff5e9a1.js HTTP/1.1Host: form.questionscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /forms-images/67b5bc1a1a5964e3bafd5939/67b5bc6feed07f5e995ab5b4.jpeg?hash=1739963505380 HTTP/1.1Host: d3djdih2k2vfi2.cloudfront.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /forms-images/67b5bc1a1a5964e3bafd5939/67b5bd6eeed07f5e995ab5cd.jpeg?hash=1739963759895 HTTP/1.1Host: d3djdih2k2vfi2.cloudfront.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AI35 HTTP/1.1Host: formapi.questionscout.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: */*sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://form.questionscout.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://form.questionscout.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /json/697de680-a737-11ea-9820-af05f4014d91 HTTP/1.1Host: geolocation-db.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: application/json, text/plain, */*sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://form.questionscout.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://form.questionscout.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=websocket&sid=fVfAyaUcPj82aSexBcn3 HTTP/1.1Host: formapi.questionscout.comConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: https://form.questionscout.comSec-WebSocket-Version: 13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=fVfAyaUcPj82aSexBcn3Sec-WebSocket-Key: BLa3tHvm8+oT+2dWD5I91g==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AIGY&sid=fVfAyaUcPj82aSexBcn3 HTTP/1.1Host: formapi.questionscout.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: */*sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://form.questionscout.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://form.questionscout.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=fVfAyaUcPj82aSexBcn3
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: form.questionscout.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://form.questionscout.com/67b5bc1a1a5964e3bafd5939Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AI35 HTTP/1.1Host: formapi.questionscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=fVfAyaUcPj82aSexBcn3
            Source: global trafficHTTP traffic detected: GET /json/697de680-a737-11ea-9820-af05f4014d91 HTTP/1.1Host: geolocation-db.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: form.questionscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AONN&sid=fVfAyaUcPj82aSexBcn3 HTTP/1.1Host: formapi.questionscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=fVfAyaUcPj82aSexBcn3
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AIGY&sid=fVfAyaUcPj82aSexBcn3 HTTP/1.1Host: formapi.questionscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=fVfAyaUcPj82aSexBcn3
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AOWP&sid=fVfAyaUcPj82aSexBcn3 HTTP/1.1Host: formapi.questionscout.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: */*sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://form.questionscout.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://form.questionscout.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=fVfAyaUcPj82aSexBcn3
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AOtv HTTP/1.1Host: formapi.questionscout.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: */*sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://form.questionscout.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://form.questionscout.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=fVfAyaUcPj82aSexBcn3
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AOtv HTTP/1.1Host: formapi.questionscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=XFvzjhYL5vOe0axTBcoF
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AP4T&sid=XFvzjhYL5vOe0axTBcoF HTTP/1.1Host: formapi.questionscout.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: */*sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://form.questionscout.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://form.questionscout.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=XFvzjhYL5vOe0axTBcoF
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=websocket&sid=XFvzjhYL5vOe0axTBcoF HTTP/1.1Host: formapi.questionscout.comConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: https://form.questionscout.comSec-WebSocket-Version: 13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=XFvzjhYL5vOe0axTBcoFSec-WebSocket-Key: EqLKuDmHFMS8zkMckOSCJg==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
            Source: global trafficHTTP traffic detected: GET /rules/excel.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AQD8&sid=XFvzjhYL5vOe0axTBcoF HTTP/1.1Host: formapi.questionscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=XFvzjhYL5vOe0axTBcoF
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AP4T&sid=XFvzjhYL5vOe0axTBcoF HTTP/1.1Host: formapi.questionscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=XFvzjhYL5vOe0axTBcoF
            Source: global trafficHTTP traffic detected: GET /api/forms/67b5bc1a1a5964e3bafd5939/submissions HTTP/1.1Host: formapi.questionscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=XFvzjhYL5vOe0axTBcoF
            Source: global trafficHTTP traffic detected: GET /chiTL/ HTTP/1.1Host: rvxp.ulayetand.ruConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://form.questionscout.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AQs6 HTTP/1.1Host: formapi.questionscout.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: */*sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://form.questionscout.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://form.questionscout.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=XFvzjhYL5vOe0axTBcoF
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AQs6 HTTP/1.1Host: formapi.questionscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=m3IXXcqwadf2wE3ABcoJ
            Source: global trafficHTTP traffic detected: GET /turnstile/v0/api.js?onload=onloadTurnstileCallback HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://rvxp.ulayetand.ru/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /jquery-3.6.0.min.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://rvxp.ulayetand.ru/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /ajax/libs/crypto-js/4.1.1/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://rvxp.ulayetand.ru/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /turnstile/v0/b/b0e4a89976ce/api.js HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://rvxp.ulayetand.ru/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /ajax/libs/crypto-js/4.1.1/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /jquery-3.6.0.min.js HTTP/1.1Host: code.jquery.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
            Source: global trafficHTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
            Source: global trafficHTTP traffic detected: GET /turnstile/v0/b/b0e4a89976ce/api.js HTTP/1.1Host: challenges.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /favicon.png HTTP/1.1Host: developers.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://rvxp.ulayetand.ru/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /favicon.png HTTP/1.1Host: developers.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=TIpM2jJK3NbXHK1H4BC11jV2BVPrEbClboNgMgvZtOg-1740588563-1.0.1.1-MamN2kQMQkf4ri2bZ.dosHsTvipYHuZFLVHZlHN.KipHA9I80emNBv0jb.t0EJBdx9kuitM8YGbQfVhaho_65g
            Source: global trafficHTTP traffic detected: GET /loray@oj8yeb HTTP/1.1Host: tl5v.aldfphv.ruConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Origin: https://rvxp.ulayetand.ruSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rvxp.ulayetand.ru/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /loray@oj8yeb HTTP/1.1Host: tl5v.aldfphv.ruConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIu2yQEIprbJAQipncoBCOvUygEI/IPLAQiUocsBCIWgzQEI3L3NAQjpxc0BCJLKzQEIucrNAQis0c0BCInTzQEI29PNAQj2080BCNLWzQEIp9jNAQjp2M0BCPnA1BUYwcvMARi50s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AW4Q HTTP/1.1Host: formapi.questionscout.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: */*sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://form.questionscout.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://form.questionscout.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=06KYgk6FAx7JDwemBcoK
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=websocket&sid=0yr0gs2DLxqJJEqPBcoS HTTP/1.1Host: formapi.questionscout.comConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: https://form.questionscout.comSec-WebSocket-Version: 13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=0yr0gs2DLxqJJEqPBcoSSec-WebSocket-Key: PwsLuEFmAPq33+Uz/EDvZQ==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AWDb.0&sid=0yr0gs2DLxqJJEqPBcoS HTTP/1.1Host: formapi.questionscout.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: */*sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://form.questionscout.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://form.questionscout.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=0yr0gs2DLxqJJEqPBcoS
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AW4Q HTTP/1.1Host: formapi.questionscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=0yr0gs2DLxqJJEqPBcoS
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AWDb&sid=0yr0gs2DLxqJJEqPBcoS HTTP/1.1Host: formapi.questionscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=0yr0gs2DLxqJJEqPBcoS
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AWDb.0&sid=0yr0gs2DLxqJJEqPBcoS HTTP/1.1Host: formapi.questionscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=0yr0gs2DLxqJJEqPBcoS
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AWlT HTTP/1.1Host: formapi.questionscout.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: */*sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://form.questionscout.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://form.questionscout.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=0yr0gs2DLxqJJEqPBcoS
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AWlT HTTP/1.1Host: formapi.questionscout.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=61st3feMSUzIelsPBcoV
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=websocket&sid=61st3feMSUzIelsPBcoV HTTP/1.1Host: formapi.questionscout.comConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: https://form.questionscout.comSec-WebSocket-Version: 13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=61st3feMSUzIelsPBcoVSec-WebSocket-Key: RB1B/ZuU5bfO/H2H+RwKKw==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
            Source: global trafficHTTP traffic detected: GET /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AWut&sid=61st3feMSUzIelsPBcoV HTTP/1.1Host: formapi.questionscout.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: */*sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://form.questionscout.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://form.questionscout.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=61st3feMSUzIelsPBcoV
            Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
            Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
            Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
            Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
            Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
            Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
            Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
            Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
            Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
            Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
            Source: global trafficDNS traffic detected: DNS query: form.questionscout.com
            Source: global trafficDNS traffic detected: DNS query: d3djdih2k2vfi2.cloudfront.net
            Source: global trafficDNS traffic detected: DNS query: formapi.questionscout.com
            Source: global trafficDNS traffic detected: DNS query: geolocation-db.com
            Source: global trafficDNS traffic detected: DNS query: www.google.com
            Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
            Source: global trafficDNS traffic detected: DNS query: rvxp.ulayetand.ru
            Source: global trafficDNS traffic detected: DNS query: code.jquery.com
            Source: global trafficDNS traffic detected: DNS query: challenges.cloudflare.com
            Source: global trafficDNS traffic detected: DNS query: cdnjs.cloudflare.com
            Source: global trafficDNS traffic detected: DNS query: developers.cloudflare.com
            Source: global trafficDNS traffic detected: DNS query: tl5v.aldfphv.ru
            Source: global trafficDNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
            Source: global trafficDNS traffic detected: DNS query: detectportal.firefox.com
            Source: global trafficDNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
            Source: global trafficDNS traffic detected: DNS query: example.org
            Source: global trafficDNS traffic detected: DNS query: ipv4only.arpa
            Source: global trafficDNS traffic detected: DNS query: contile.services.mozilla.com
            Source: global trafficDNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
            Source: global trafficDNS traffic detected: DNS query: spocs.getpocket.com
            Source: global trafficDNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
            Source: global trafficDNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
            Source: global trafficDNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
            Source: global trafficDNS traffic detected: DNS query: dualstack.awseb-awseb-147jj8pq9oolw-1566203385.us-east-1.elb.amazonaws.com
            Source: global trafficDNS traffic detected: DNS query: shavar.services.mozilla.com
            Source: global trafficDNS traffic detected: DNS query: shavar.prod.mozaws.net
            Source: global trafficDNS traffic detected: DNS query: www.youtube.com
            Source: global trafficDNS traffic detected: DNS query: www.wikipedia.org
            Source: global trafficDNS traffic detected: DNS query: www.facebook.com
            Source: global trafficDNS traffic detected: DNS query: youtube-ui.l.google.com
            Source: global trafficDNS traffic detected: DNS query: star-mini.c10r.facebook.com
            Source: global trafficDNS traffic detected: DNS query: dyna.wikimedia.org
            Source: global trafficDNS traffic detected: DNS query: www.reddit.com
            Source: global trafficDNS traffic detected: DNS query: twitter.com
            Source: global trafficDNS traffic detected: DNS query: reddit.map.fastly.net
            Source: global trafficDNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
            Source: global trafficDNS traffic detected: DNS query: firefox.settings.services.mozilla.com
            Source: global trafficDNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
            Source: global trafficDNS traffic detected: DNS query: support.mozilla.org
            Source: global trafficDNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
            Source: global trafficDNS traffic detected: DNS query: push.services.mozilla.com
            Source: unknownHTTP traffic detected: POST /socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AONN&sid=fVfAyaUcPj82aSexBcn3 HTTP/1.1Host: formapi.questionscout.comConnection: keep-aliveContent-Length: 3sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Accept: */*Content-type: text/plain;charset=UTF-8sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Origin: https://form.questionscout.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://form.questionscout.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: io=asIjLaTkUXCChje0Bcn4
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Feb 2025 16:49:20 GMTContent-Type: text/html; charset=utf-8Content-Length: 185Connection: closeServer: nginx/1.14.1Access-Control-Allow-Origin: *X-DNS-Prefetch-Control: offX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Download-Options: noopenX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: default-src 'self'
            Source: unknownNetwork traffic detected: HTTP traffic on port 50036 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
            Source: unknownNetwork traffic detected: HTTP traffic on port 50042 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50054
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50053
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50056
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50055
            Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50022 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50063
            Source: unknownNetwork traffic detected: HTTP traffic on port 50045 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50085 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50039 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
            Source: unknownNetwork traffic detected: HTTP traffic on port 50010 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50065
            Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50091 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50056 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50077 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50025 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50074 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50053 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50072
            Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50074
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50073
            Source: unknownNetwork traffic detected: HTTP traffic on port 50080 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50088 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50034 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50076
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50075
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50077
            Source: unknownNetwork traffic detected: HTTP traffic on port 50076 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50079
            Source: unknownNetwork traffic detected: HTTP traffic on port 50096 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50081
            Source: unknownNetwork traffic detected: HTTP traffic on port 50073 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50080
            Source: unknownNetwork traffic detected: HTTP traffic on port 50028 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50083
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50085
            Source: unknownNetwork traffic detected: HTTP traffic on port 50031 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50084
            Source: unknownNetwork traffic detected: HTTP traffic on port 50043 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
            Source: unknownNetwork traffic detected: HTTP traffic on port 50037 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
            Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50087
            Source: unknownNetwork traffic detected: HTTP traffic on port 50020 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50086
            Source: unknownNetwork traffic detected: HTTP traffic on port 50054 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50089
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50088
            Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50005
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
            Source: unknownNetwork traffic detected: HTTP traffic on port 50079 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50090
            Source: unknownNetwork traffic detected: HTTP traffic on port 50051 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50092
            Source: unknownNetwork traffic detected: HTTP traffic on port 50048 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50091
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50096
            Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50095
            Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50065 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50017
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50019
            Source: unknownNetwork traffic detected: HTTP traffic on port 50017 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50010
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
            Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
            Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50016
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
            Source: unknownNetwork traffic detected: HTTP traffic on port 50049 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50026 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50075 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50052 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50081 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49902 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
            Source: unknownNetwork traffic detected: HTTP traffic on port 50087 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50029
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50028
            Source: unknownNetwork traffic detected: HTTP traffic on port 50035 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
            Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50020
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50023
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50022
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50025
            Source: unknownNetwork traffic detected: HTTP traffic on port 50095 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50026
            Source: unknownNetwork traffic detected: HTTP traffic on port 49911 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50046 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50030
            Source: unknownNetwork traffic detected: HTTP traffic on port 50029 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50084 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
            Source: unknownNetwork traffic detected: HTTP traffic on port 50086 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50039
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
            Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49884
            Source: unknownNetwork traffic detected: HTTP traffic on port 50063 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50019 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50031
            Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50092 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50034
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50036
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50035
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50037
            Source: unknownNetwork traffic detected: HTTP traffic on port 50050 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50047 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50005 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50041
            Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
            Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50089 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49911
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
            Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49875
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
            Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50041 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50043
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50042
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50045
            Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50047
            Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50046
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50049
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50048
            Source: unknownNetwork traffic detected: HTTP traffic on port 50072 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50050
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49909
            Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 50030 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50052
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50051
            Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49903
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49902
            Source: unknownNetwork traffic detected: HTTP traffic on port 49903 -> 443
            Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.18:50073 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.18:50076 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.18:50080 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.18:50086 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.18:50090 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.18:50089 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.18:50095 version: TLS 1.2
            Source: classification engineClassification label: mal84.phis.winXLSX@31/11@100/362
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\Dictionaries
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$REMITTANCE DETAILS....xlsx
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{B76076E8-A072-4B2F-95A4-AC6FF0232461} - OProcSessId.dat
            Source: REMITTANCE DETAILS....xlsxOLE indicator, Workbook stream: true
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.ini
            Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\REMITTANCE DETAILS....xlsx"
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://form.questionscout.com/67b5bc1a1a5964e3bafd5939
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1984,i,3289712561575310774,16944066909727599253,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://form.questionscout.com/67b5bc1a1a5964e3bafd5939
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1984,i,3289712561575310774,16944066909727599253,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
            Source: unknownProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe"
            Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe"
            Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2248 -prefMapHandle 2232 -prefsLen 25250 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6b7dcc4-5f21-4fa8-9fbd-5a78401b259a} 3944 "\\.\pipe\gecko-crash-server-pipe.3944" 25f1396e510 socket
            Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4056 -parentBuildID 20230927232528 -prefsHandle 4048 -prefMapHandle 4040 -prefsLen 25416 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7693232a-b44b-4380-8efc-bc41f6f1c2ea} 3944 "\\.\pipe\gecko-crash-server-pipe.3944" 25f244f5910 rdd
            Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe"
            Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2248 -prefMapHandle 2232 -prefsLen 25250 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6b7dcc4-5f21-4fa8-9fbd-5a78401b259a} 3944 "\\.\pipe\gecko-crash-server-pipe.3944" 25f1396e510 socket
            Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
            Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
            Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4056 -parentBuildID 20230927232528 -prefsHandle 4048 -prefMapHandle 4040 -prefsLen 25416 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7693232a-b44b-4380-8efc-bc41f6f1c2ea} 3944 "\\.\pipe\gecko-crash-server-pipe.3944" 25f244f5910 rdd
            Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
            Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
            Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
            Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknown
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F39D01F3-69C1-45E1-93B2-7BF0BC6EB63E}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries
            Source: REMITTANCE DETAILS....xlsxInitial sample: OLE indicators vbamacros = False
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
            Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
            Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
            Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
            Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformation

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation2
            Browser Extensions            		1
            Process Injection            		3
            Masquerading            		OS Credential Dumping1
            Process Discovery            		Remote ServicesData from Local System1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            Registry Run Keys / Startup Folder            		1
            Registry Run Keys / Startup Folder            		1
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable Media3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Extra Window Memory Injection            		1
            Process Injection            		Security Account Manager1
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared Drive4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Extra Window Memory Injection            		NTDS1
            System Information Discovery            		Distributed Component Object ModelInput Capture5
            Application Layer Protocol            		Traffic DuplicationData Destruction

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AI350%Avira URL Cloudsafe
            https://form.questionscout.com/static/css/bundle.463f0bf5.css0%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=websocket&sid=fVfAyaUcPj82aSexBcn30%Avira URL Cloudsafe
            https://d3djdih2k2vfi2.cloudfront.net/forms-images/67b5bc1a1a5964e3bafd5939/67b5bc6feed07f5e995ab5b4.jpeg?hash=17399635053800%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AIGY&sid=fVfAyaUcPj82aSexBcn30%Avira URL Cloudsafe
            https://d3djdih2k2vfi2.cloudfront.net/forms-images/67b5bc1a1a5964e3bafd5939/67b5bd6eeed07f5e995ab5cd.jpeg?hash=17399637598950%Avira URL Cloudsafe
            https://form.questionscout.com/static/js/bundle.bff5e9a1.js0%Avira URL Cloudsafe
            https://geolocation-db.com/json/697de680-a737-11ea-9820-af05f4014d910%Avira URL Cloudsafe
            https://form.questionscout.com/favicon.ico0%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=websocket&sid=XFvzjhYL5vOe0axTBcoF0%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AP4T&sid=XFvzjhYL5vOe0axTBcoF0%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AOWP&sid=fVfAyaUcPj82aSexBcn30%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AONN&sid=fVfAyaUcPj82aSexBcn30%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AOj9&sid=fVfAyaUcPj82aSexBcn30%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AOtv0%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AQD8&sid=XFvzjhYL5vOe0axTBcoF0%Avira URL Cloudsafe
            https://formapi.questionscout.com/api/forms/67b5bc1a1a5964e3bafd5939/submissions0%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AQs60%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=websocket&sid=0yr0gs2DLxqJJEqPBcoS0%Avira URL Cloudsafe
            https://tl5v.aldfphv.ru/loray@oj8yeb0%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AW4Q0%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AWlT0%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AWDb.0&sid=0yr0gs2DLxqJJEqPBcoS0%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AWDb&sid=0yr0gs2DLxqJJEqPBcoS0%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=websocket&sid=61st3feMSUzIelsPBcoV0%Avira URL Cloudsafe
            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AWut&sid=61st3feMSUzIelsPBcoV0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            example.org
            		23.215.0.133
            		truefalse
              		high
              prod.detectportal.prod.cloudops.mozgcp.net
              		34.107.221.82
              		truefalse
                		high
                developers.cloudflare.com
                		104.16.2.189
                		truefalse
                  		high
                  geolocation-db.com
                  		159.89.102.253
                  		truefalse
                    		high
                    contile.services.mozilla.com
                    		34.117.188.166
                    		truefalse
                      		high
                      prod.content-signature-chains.prod.webservices.mozgcp.net
                      		34.160.144.191
                      		truefalse
                        		high
                        code.jquery.com
                        		151.101.130.137
                        		truefalse
                          		high
                          us-west1.prod.sumo.prod.webservices.mozgcp.net
                          		34.149.128.2
                          		truefalse
                            		high
                            ipv4only.arpa
                            		192.0.0.171
                            		truefalse
                              		high
                              cdnjs.cloudflare.com
                              		104.17.24.14
                              		truefalse
                                		high
                                prod.ads.prod.webservices.mozgcp.net
                                		34.117.188.166
                                		truefalse
                                  		high
                                  push.services.mozilla.com
                                  		34.107.243.93
                                  		truefalse
                                    		high
                                    www.google.com
                                    		172.217.16.196
                                    		truefalse
                                      		high
                                      tl5v.aldfphv.ru
                                      		172.67.139.168
                                      		truefalse
                                        		unknown
                                        star-mini.c10r.facebook.com
                                        		157.240.0.35
                                        		truefalse
                                          		high
                                          dualstack.awseb-awseb-147jj8pq9oolw-1566203385.us-east-1.elb.amazonaws.com
                                          		3.225.14.119
                                          		truefalse
                                            		unknown
                                            prod.classify-client.prod.webservices.mozgcp.net
                                            		35.190.72.216
                                            		truefalse
                                              		high
                                              prod.balrog.prod.cloudops.mozgcp.net
                                              		35.244.181.201
                                              		truefalse
                                                		high
                                                twitter.com
                                                		104.244.42.129
                                                		truefalse
                                                  		high
                                                  shavar.prod.mozaws.net
                                                  		52.26.30.181
                                                  		truefalse
                                                    		high
                                                    d3djdih2k2vfi2.cloudfront.net
                                                    		18.245.33.206
                                                    		truefalse
                                                      		high
                                                      dyna.wikimedia.org
                                                      		185.15.59.224
                                                      		truefalse
                                                        		high
                                                        prod.remote-settings.prod.webservices.mozgcp.net
                                                        		34.149.100.209
                                                        		truefalse
                                                          		high
                                                          youtube-ui.l.google.com
                                                          		142.250.186.174
                                                          		truefalse
                                                            		high
                                                            reddit.map.fastly.net
                                                            		151.101.65.140
                                                            		truefalse
                                                              		high
                                                              challenges.cloudflare.com
                                                              		104.18.94.41
                                                              		truefalse
                                                                		high
                                                                rvxp.ulayetand.ru
                                                                		104.21.48.1
                                                                		truetrue
                                                                  		unknown
                                                                  s-0005.dual-s-msedge.net
                                                                  		52.123.128.14
                                                                  		truefalse
                                                                    		high
                                                                    questionscout-form-api-prod.us-east-1.elasticbeanstalk.com
                                                                    		54.84.150.176
                                                                    		truefalse
                                                                      		unknown
                                                                      s-part-0032.t-0009.t-msedge.net
                                                                      		13.107.246.60
                                                                      		truefalse
                                                                        		high
                                                                        telemetry-incoming.r53-2.services.mozilla.com
                                                                        		34.120.208.123
                                                                        		truefalse
                                                                          		high
                                                                          form.questionscout.com
                                                                          		unknown
                                                                          		unknownfalse
                                                                            		high
                                                                            www.reddit.com
                                                                            		unknown
                                                                            		unknownfalse
                                                                              		high
                                                                              spocs.getpocket.com
                                                                              		unknown
                                                                              		unknownfalse
                                                                                		high
                                                                                formapi.questionscout.com
                                                                                		unknown
                                                                                		unknownfalse
                                                                                  		high
                                                                                  content-signature-2.cdn.mozilla.net
                                                                                  		unknown
                                                                                  		unknownfalse
                                                                                    		high
                                                                                    support.mozilla.org
                                                                                    		unknown
                                                                                    		unknownfalse
                                                                                      		high
                                                                                      otelrules.svc.static.microsoft
                                                                                      		unknown
                                                                                      		unknownfalse
                                                                                        		high
                                                                                        firefox.settings.services.mozilla.com
                                                                                        		unknown
                                                                                        		unknownfalse
                                                                                          		high
                                                                                          www.youtube.com
                                                                                          		unknown
                                                                                          		unknownfalse
                                                                                            		high
                                                                                            www.facebook.com
                                                                                            		unknown
                                                                                            		unknownfalse
                                                                                              		high
                                                                                              detectportal.firefox.com
                                                                                              		unknown
                                                                                              		unknownfalse
                                                                                                		high
                                                                                                shavar.services.mozilla.com
                                                                                                		unknown
                                                                                                		unknownfalse
                                                                                                  		high
                                                                                                  www.wikipedia.org
                                                                                                  		unknown
                                                                                                  		unknownfalse
                                                                                                    		high

                                                                                                    Contacted URLs

                                                                                                    NameMaliciousAntivirus DetectionReputation
                                                                                                    https://otelrules.svc.static.microsoft/rules/excel.exe-Production-v19.bundlefalse
                                                                                                      		high
                                                                                                      https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=websocket&sid=0yr0gs2DLxqJJEqPBcoSfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://form.questionscout.com/67b5bc1a1a5964e3bafd5939true
                                                                                                        		unknown
                                                                                                        https://code.jquery.com/jquery-3.6.0.min.jsfalse
                                                                                                          		high
                                                                                                          https://geolocation-db.com/json/697de680-a737-11ea-9820-af05f4014d91false
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.jsfalse
                                                                                                            		high
                                                                                                            https://d3djdih2k2vfi2.cloudfront.net/forms-images/67b5bc1a1a5964e3bafd5939/67b5bd6eeed07f5e995ab5cd.jpeg?hash=1739963759895false
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AWlTfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://otelrules.svc.static.microsoft/rules/rule120607v1s19.xmlfalse
                                                                                                              		high
                                                                                                              https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=websocket&sid=61st3feMSUzIelsPBcoVfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AONN&sid=fVfAyaUcPj82aSexBcn3false
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://d3djdih2k2vfi2.cloudfront.net/forms-images/67b5bc1a1a5964e3bafd5939/67b5bc6feed07f5e995ab5b4.jpeg?hash=1739963505380false
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AWut&sid=61st3feMSUzIelsPBcoVfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://challenges.cloudflare.com/turnstile/v0/api.js?onload=onloadTurnstileCallbackfalse
                                                                                                                		high
                                                                                                                https://form.questionscout.com/static/js/bundle.bff5e9a1.jsfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgwfalse
                                                                                                                  		high
                                                                                                                  https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AOtvfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://formapi.questionscout.com/api/forms/67b5bc1a1a5964e3bafd5939/submissionsfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=websocket&sid=fVfAyaUcPj82aSexBcn3false
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=websocket&sid=XFvzjhYL5vOe0axTBcoFfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://form.questionscout.com/favicon.icofalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AWDb.0&sid=0yr0gs2DLxqJJEqPBcoSfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://form.questionscout.com/static/css/bundle.463f0bf5.cssfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://developers.cloudflare.com/favicon.pngfalse
                                                                                                                    		high
                                                                                                                    https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AP4T&sid=XFvzjhYL5vOe0axTBcoFfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://otelrules.svc.static.microsoft/rules/rule120603v8s19.xmlfalse
                                                                                                                      		high
                                                                                                                      http://detectportal.firefox.com/canonical.htmlfalse
                                                                                                                        		high
                                                                                                                        https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AWDb&sid=0yr0gs2DLxqJJEqPBcoSfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AI35false
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AIGY&sid=fVfAyaUcPj82aSexBcn3false
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AQD8&sid=XFvzjhYL5vOe0axTBcoFfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AOWP&sid=fVfAyaUcPj82aSexBcn3false
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AOj9&sid=fVfAyaUcPj82aSexBcn3false
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://tl5v.aldfphv.ru/loray@oj8yebfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AQs6false
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://formapi.questionscout.com/socket.io/?fingerprint=be9ae3c9e5dfc39574592ff51220972d&EIO=3&transport=polling&t=PL3AW4Qfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://detectportal.firefox.com/success.txt?ipv4false
                                                                                                                          		high
                                                                                                                          https://challenges.cloudflare.com/turnstile/v0/b/b0e4a89976ce/api.jsfalse
                                                                                                                            		high

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            104.21.48.1
                                                                                                                            		rvxp.ulayetand.ruUnited States
                                                                                                                            		13335CLOUDFLARENETUStrue
                                                                                                                            54.164.202.134
                                                                                                                            		unknownUnited States
                                                                                                                            		14618AMAZON-AESUSfalse
                                                                                                                            142.250.186.67
                                                                                                                            		unknownUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            18.245.33.206
                                                                                                                            		d3djdih2k2vfi2.cloudfront.netUnited States
                                                                                                                            		16509AMAZON-02USfalse
                                                                                                                            98.85.35.237
                                                                                                                            		unknownUnited States
                                                                                                                            		11351TWC-11351-NORTHEASTUSfalse
                                                                                                                            104.18.94.41
                                                                                                                            		challenges.cloudflare.comUnited States
                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                            172.67.139.168
                                                                                                                            		tl5v.aldfphv.ruUnited States
                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                            142.250.181.234
                                                                                                                            		unknownUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            142.250.185.106
                                                                                                                            		unknownUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            13.107.246.60
                                                                                                                            		s-part-0032.t-0009.t-msedge.netUnited States
                                                                                                                            		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                            20.189.173.10
                                                                                                                            		unknownUnited States
                                                                                                                            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                            151.101.130.137
                                                                                                                            		code.jquery.comUnited States
                                                                                                                            		54113FASTLYUSfalse
                                                                                                                            74.125.206.84
                                                                                                                            		unknownUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            34.117.188.166
                                                                                                                            		contile.services.mozilla.comUnited States
                                                                                                                            		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                            52.26.30.181
                                                                                                                            		shavar.prod.mozaws.netUnited States
                                                                                                                            		16509AMAZON-02USfalse
                                                                                                                            142.250.185.142
                                                                                                                            		unknownUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            151.101.66.137
                                                                                                                            		unknownUnited States
                                                                                                                            		54113FASTLYUSfalse
                                                                                                                            54.84.150.176
                                                                                                                            		questionscout-form-api-prod.us-east-1.elasticbeanstalk.comUnited States
                                                                                                                            		14618AMAZON-AESUSfalse
                                                                                                                            104.16.2.189
                                                                                                                            		developers.cloudflare.comUnited States
                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                            34.120.208.123
                                                                                                                            		telemetry-incoming.r53-2.services.mozilla.comUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            104.17.24.14
                                                                                                                            		cdnjs.cloudflare.comUnited States
                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                            2.16.185.191
                                                                                                                            		unknownEuropean Union
                                                                                                                            		16625AKAMAI-ASUSfalse
                                                                                                                            34.149.100.209
                                                                                                                            		prod.remote-settings.prod.webservices.mozgcp.netUnited States
                                                                                                                            		2686ATGS-MMD-ASUSfalse
                                                                                                                            104.18.95.41
                                                                                                                            		unknownUnited States
                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                            216.58.206.42
                                                                                                                            		unknownUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            34.107.243.93
                                                                                                                            		push.services.mozilla.comUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            18.245.33.131
                                                                                                                            		unknownUnited States
                                                                                                                            		16509AMAZON-02USfalse
                                                                                                                            159.89.102.253
                                                                                                                            		geolocation-db.comUnited States
                                                                                                                            		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                            142.250.185.138
                                                                                                                            		unknownUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            52.123.128.14
                                                                                                                            		s-0005.dual-s-msedge.netUnited States
                                                                                                                            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                            34.107.221.82
                                                                                                                            		prod.detectportal.prod.cloudops.mozgcp.netUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            142.250.181.227
                                                                                                                            		unknownUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            35.244.181.201
                                                                                                                            		prod.balrog.prod.cloudops.mozgcp.netUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            239.255.255.250
                                                                                                                            		unknownReserved
                                                                                                                            		unknownunknownfalse
                                                                                                                            142.250.185.131
                                                                                                                            		unknownUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            142.250.185.195
                                                                                                                            		unknownUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            35.190.72.216
                                                                                                                            		prod.classify-client.prod.webservices.mozgcp.netUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            34.160.144.191
                                                                                                                            		prod.content-signature-chains.prod.webservices.mozgcp.netUnited States
                                                                                                                            		2686ATGS-MMD-ASUSfalse
                                                                                                                            3.225.14.119
                                                                                                                            		dualstack.awseb-awseb-147jj8pq9oolw-1566203385.us-east-1.elb.amazonaws.comUnited States
                                                                                                                            		14618AMAZON-AESUSfalse
                                                                                                                            172.217.16.196
                                                                                                                            		www.google.comUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            142.250.184.234
                                                                                                                            		unknownUnited States
                                                                                                                            		15169GOOGLEUSfalse

                                                                                                                            Private

                                                                                                                            IP
                                                                                                                            192.168.2.18
                                                                                                                            127.0.0.1

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:42.0.0 Malachite
                                                                                                                            Analysis ID:1624971
                                                                                                                            Start date and time:2025-02-26 17:47:30 +01:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:22
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • EGA enabled
                                                                                                                            Analysis Mode:stream
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:REMITTANCE DETAILS....xlsx
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal84.phis.winXLSX@31/11@100/362
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .xlsx

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
                                                                                                                            • Excluded IPs from analysis (whitelisted): 2.16.185.191, 20.189.173.10, 52.123.128.14, 4.175.87.197, 13.107.246.60
                                                                                                                            • Excluded domains from analysis (whitelisted): ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, self.events.data.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, dual-s-0005-office.config.skype.com, onedscolprdwus09.westus.cloudapp.azure.com, e16604.f.akamaiedge.net, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                            • VT rate limit hit for: dualstack.awseb-awseb-147jj8pq9oolw-1566203385.us-east-1.elb.amazonaws.com

                                                                                                                            Created / dropped Files

                                                                                                                            C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

                                                                                                                            Download File
                                                                                                                            Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                            File Type:ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):32768
                                                                                                                            Entropy (8bit):0.4593089050301797
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:
                                                                                                                            MD5:D910AD167F0217587501FDCDB33CC544
                                                                                                                            SHA1:2F57441CEFDC781011B53C1C5D29AC54835AFC1D
                                                                                                                            SHA-256:E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
                                                                                                                            SHA-512:F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
                                                                                                                            Malicious:false
                                                                                                                            Reputation:unknown
                                                                                                                            Preview:... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

                                                                                                                            C:\Users\user\AppData\Local\Temp\~DFA9C0C80C69268482.TMP

                                                                                                                            Download File
                                                                                                                            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
                                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):2560
                                                                                                                            Entropy (8bit):1.9336955297818843
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:
                                                                                                                            MD5:6CA59F7CF929E0AE00ADEFE6BCD8D34D
                                                                                                                            SHA1:63C278223150E2B65D802C42399EEFD6306B8752
                                                                                                                            SHA-256:3BE77F868C2B8FA6535B12F028463888168BE9E9676B85C47A775BE8558D652B
                                                                                                                            SHA-512:596111F7EBD7B5CAC6E39BBEDA358309559BD8D82E27347F69B922E875210B1C6C9BC82EE8ADC7E3E11CB51BB9D91BCC0F25AFF2BE38ADB2FA8264B460EB3F03
                                                                                                                            Malicious:false
                                                                                                                            Reputation:unknown
                                                                                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                                                                                                                            Download File
                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Feb 26 15:48:42 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):2675
                                                                                                                            Entropy (8bit):3.983215368745173
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:
                                                                                                                            MD5:E5A30604CAC576EB943E0D9AEE8D3E76
                                                                                                                            SHA1:8652387D2A3EB4A7F20BFABA4B306E8821C289AD
                                                                                                                            SHA-256:B538B9AE28D6284FAFC07F8AA23058DDAD3320B7316712703192FB2EC1C8B8B5
                                                                                                                            SHA-512:6C0340F565D8E8887C09FAD33E0B8F3E986DCF99717A1918C28D3FDED840402189E467E91D0E658A4C0FF373AE4329857F3ABF81CEC146B5CF76A8491A8315ED
                                                                                                                            Malicious:false
                                                                                                                            Reputation:unknown
                                                                                                                            Preview:L..................F.@.. ...$+.,......<Kn.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.IZZ......B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZZ......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.VZZ......M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.VZZ.............................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VZZ.......#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............5......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                                                                                                                            Download File
                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Feb 26 15:48:42 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):2677
                                                                                                                            Entropy (8bit):3.998612439181264
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:
                                                                                                                            MD5:819CBC627E391CE4EC6527E0B2559E0B
                                                                                                                            SHA1:ECB25DF415E0BFE46473A2185CFF497FCA16BE87
                                                                                                                            SHA-256:1BD83E06EB1AFE7C851054500340026368D7B39C0618805AE6D3E0B6E6EDE5F0
                                                                                                                            SHA-512:E472B1B35A217F3093C6F3BD402D60063640B6F3033DEA700A141CCB4D5FD215539B50D02E48628791423D6E6975691C9368D9A7893F9056986168DC2EBF3CFB
                                                                                                                            Malicious:false
                                                                                                                            Reputation:unknown
                                                                                                                            Preview:L..................F.@.. ...$+.,.......Kn.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.IZZ......B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZZ......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.VZZ......M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.VZZ.............................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VZZ.......#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............5......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                                                                                                                            Download File
                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 09:23:19 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):2691
                                                                                                                            Entropy (8bit):4.007728625078112
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:
                                                                                                                            MD5:2F56C0B53665870A50F3AF710446246D
                                                                                                                            SHA1:4A1A96644F7765011045485E6F42878F5196D8E5
                                                                                                                            SHA-256:69AF3FE680D52083474F33A68C029B341183099CD30E4B984B5180E28793A44C
                                                                                                                            SHA-512:8D3518AEE9AF675E3BD5983140DEEC782BE6FC893C2297FE37D14BB97107859EF0C0BA23FA6B139FD6B5509641601430CC308D6FF00DFDAFAEBD505FC9FE5B5B
                                                                                                                            Malicious:false
                                                                                                                            Reputation:unknown
                                                                                                                            Preview:L..................F.@.. ...$+.,....?.4 ?.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.IZZ......B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZZ......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.VZZ......M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.VZZ.............................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VFW.R.....#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............5......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                                                                                                                            Download File
                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Feb 26 15:48:42 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):2679
                                                                                                                            Entropy (8bit):3.9978625741918354
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:
                                                                                                                            MD5:A2FA00CBB7AFEA0E0B2BA2D76CA90654
                                                                                                                            SHA1:19AAD6E2B6C81A0EB82DE3016DF56570C584C432
                                                                                                                            SHA-256:18C35C529622B7FD96239B403664FBEA06D275DD9099A2149A61685FAD3116B9
                                                                                                                            SHA-512:E98120275D76C3FE84FC9023D02BAFCB290C41668BC218798A81EF5F5641E9C195805EF5F50D56AB9C701816F735113C4B1351A299A2BCEEB9B8D3D4D3ECB306
                                                                                                                            Malicious:false
                                                                                                                            Reputation:unknown
                                                                                                                            Preview:L..................F.@.. ...$+.,....Q.(Kn.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.IZZ......B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZZ......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.VZZ......M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.VZZ.............................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VZZ.......#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............5......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                                                                                                                            Download File
                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Feb 26 15:48:42 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):2679
                                                                                                                            Entropy (8bit):3.9833052931445105
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:
                                                                                                                            MD5:0A51038A98E7FFB0FFFA85416A3E5D86
                                                                                                                            SHA1:E55E3915348FD6D9CC4BC0E741131A1B6CA27C15
                                                                                                                            SHA-256:0CC89FA366EECB0323ED301DD383D1112C3D4212676562D041DC089A2EB6E35A
                                                                                                                            SHA-512:E2B73E8A1843ED02E83C4BA3FFF4B235CB6EA3EBC41CC592C1D1A2ED67C56099AC1A7296A1B8173F7888BF48DC697F5FEED01CEC9FBB45F10EFEBB3932CE951F
                                                                                                                            Malicious:false
                                                                                                                            Reputation:unknown
                                                                                                                            Preview:L..................F.@.. ...$+.,......5Kn.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.IZZ......B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZZ......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.VZZ......M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.VZZ.............................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VZZ.......#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............5......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                                                                                                                            Download File
                                                                                                                            Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Feb 26 15:48:42 2025, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):2681
                                                                                                                            Entropy (8bit):3.997161977579231
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:
                                                                                                                            MD5:5372EDAD4F84C61275B7F5151E8697F9
                                                                                                                            SHA1:F157165312CBAA69252C59C8E76C24A34FDE1463
                                                                                                                            SHA-256:C304BEB399932CE55238AB97E7DF7F35CF1A5CA3BF71EC610BC1BD3EDCADD111
                                                                                                                            SHA-512:BF99D940D2D013DE2E014E203200B4B5E5E1983ED8546A7C1A95DB77A8FEB58DB17493CE9BDF198260488699758BD8A6EBF89AD9A6D0ECB4E16A8E02B0A5A1B6
                                                                                                                            Malicious:false
                                                                                                                            Reputation:unknown
                                                                                                                            Preview:L..................F.@.. ...$+.,....?..Kn.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.R..PROGRA~1..t......O.IZZ......B...............J......Y..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZZ......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.R..Chrome..>......CW.VZZ......M......................pd.C.h.r.o.m.e.....`.1.....FW.R..APPLIC~1..H......CW.VZZ.............................pd.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VZZ.......#......................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............5......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                            C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\prefs-1.js

                                                                                                                            Download File
                                                                                                                            Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                            File Type:ASCII text, with very long lines (1717), with CRLF line terminators
                                                                                                                            Category:modified
                                                                                                                            Size (bytes):11840
                                                                                                                            Entropy (8bit):5.4734768608532995
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:
                                                                                                                            MD5:730C307138B1D4E423F83107E79F2DAA
                                                                                                                            SHA1:3C2A9BDF6EB18C219B8F097D381D5444AD4BE7DD
                                                                                                                            SHA-256:2DBF0325041C2D3123DF5723835BFE0232D3165837E0628866136F875A94C31B
                                                                                                                            SHA-512:09BB6C039D9F276131F216E93938DA47994CA2C690264A4980B9FF06FD9FA6162AACB2A509EBFB012A54CAFCD42BDEE69F4A49805A9F0D27B00C49058EE0502B
                                                                                                                            Malicious:false
                                                                                                                            Reputation:unknown
                                                                                                                            Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "51d59ba4-04bf-4f73-ab37-64f38903f396");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 1);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696587350);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1740592843);..user_pref("app.up

                                                                                                                            C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\prefs.js (copy)

                                                                                                                            Download File
                                                                                                                            Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                            File Type:ASCII text, with very long lines (1717), with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):0
                                                                                                                            Entropy (8bit):0.0
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:
                                                                                                                            MD5:7B91858899ABCA49813E1B2E04805722
                                                                                                                            SHA1:FDABA114049E5EE131321C9AE79506257396B2CA
                                                                                                                            SHA-256:8A9FFF2E2A70D25AB1B5CDCB3EB73E6B8CE662121475F961623DB707B9D79F83
                                                                                                                            SHA-512:546D660A2E5E791F7D02BB7FCDF50D30A74CF51A236F5E18C31085476E75CB1EF4A47425EF7A220BB628E24F20B247B93C2E55C65E874333D2655CA5148B1BB9
                                                                                                                            Malicious:false
                                                                                                                            Reputation:unknown
                                                                                                                            Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "51d59ba4-04bf-4f73-ab37-64f38903f396");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696587350);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696587355);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                                                                            C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\sessionCheckpoints.json (copy)

                                                                                                                            Download File
                                                                                                                            Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                            File Type:JSON data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):0
                                                                                                                            Entropy (8bit):0.0
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:
                                                                                                                            MD5:C4AB2EE59CA41B6D6A6EA911F35BDC00
                                                                                                                            SHA1:5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
                                                                                                                            SHA-256:00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
                                                                                                                            SHA-512:71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
                                                                                                                            Malicious:false
                                                                                                                            Reputation:unknown
                                                                                                                            Preview:{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

                                                                                                                            C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wuifzt30.default-release\sessionCheckpoints.json.tmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                            File Type:JSON data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):90
                                                                                                                            Entropy (8bit):4.194538242412464
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:
                                                                                                                            MD5:C4AB2EE59CA41B6D6A6EA911F35BDC00
                                                                                                                            SHA1:5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
                                                                                                                            SHA-256:00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
                                                                                                                            SHA-512:71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
                                                                                                                            Malicious:false
                                                                                                                            Reputation:unknown
                                                                                                                            Preview:{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:Microsoft Excel 2007+
                                                                                                                            Entropy (8bit):7.680659978486937
                                                                                                                            TrID:
                                                                                                                            • Excel Microsoft Office Open XML Format document (35004/1) 81.40%
                                                                                                                            • ZIP compressed archive (8000/1) 18.60%
                                                                                                                            File name:REMITTANCE DETAILS....xlsx
                                                                                                                            File size:100'151 bytes
                                                                                                                            MD5:7a1977f7be57db4654fdd262d5159ba1
                                                                                                                            SHA1:305bf321f8ace1e709a69ac216c1af28192bb74f
                                                                                                                            SHA256:90a947ea45b176ce0aea06857bc18802b72ccc76b5a067fbac2b271d591a6d5c
                                                                                                                            SHA512:6da27afcf7d92e66150c0cbfbe206e420b935ae077fcf0b01ed74a8a92cb2f2048a299f387e82f8526b8768ce40d5e23ea5088d84eb4251c3387c3b948bde494
                                                                                                                            SSDEEP:1536:xm9NJH69bxXn3WmjcRBP1tRt34oWewonaH69bxXn3WmjcRBP1tRt34oWewoneF:I9NI9FHBq3PNLv9FHBq3PNLeF
                                                                                                                            TLSH:09A38C178C185AC3D16C97F8BD070EE96E5A230DD981BEEF40654FD6BE102279C9E06E
                                                                                                                            File Content Preview:PK..........!..M..}...[.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                            File Icon

                                                                                                                            Icon Hash:35e58a8c0c8a85b9

                                                                                                                            Static OLE Info

                                                                                                                            General

                                                                                                                            Document Type:OpenXML
                                                                                                                            Number of OLE Files:1

                                                                                                                            OLE File "REMITTANCE DETAILS....xlsx"

                                                                                                                            Indicators
                                                                                                                            Has Summary Info:
                                                                                                                            Application Name:
                                                                                                                            Encrypted Document:False
                                                                                                                            Contains Word Document Stream:False
                                                                                                                            Contains Workbook/Book Stream:True
                                                                                                                            Contains PowerPoint Document Stream:False
                                                                                                                            Contains Visio Document Stream:False
                                                                                                                            Contains ObjectPool Stream:False
                                                                                                                            Flash Objects Count:0
                                                                                                                            Contains VBA Macros:False