Edit tour

Windows Analysis Report
NetCDF4Excel_3_3_setup.exe

Overview

General Information

Sample name:	NetCDF4Excel_3_3_setup.exe
Analysis ID:	1543738
MD5:	943ea0a62b581f8e132b1fc33e04804d
SHA1:	a28e6d970f44ce8e0fad92d6b86bf1ff5cbe9e75
SHA256:	d7e140540766c60ed61f6ed9e0bb3c09cc3363d35bc6803c062a6e7f61db385a
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Document contains an embedded VBA with many string operations indicating source code obfuscation

Document contains an embedded VBA macro which executes code when the document is opened / closed

Drops PE files

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

NetCDF4Excel_3_3_setup.exe (PID: 3416 cmdline: "C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe" MD5: 943EA0A62B581F8E132B1FC33E04804D)

EXCEL.EXE (PID: 3752 cmdline: "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" MD5: 4A871771235598812032C822E6F68F19)

splwow64.exe (PID: 6248 cmdline: C:\Windows\splwow64.exe 8192 MD5: 77DE7761B037061C7C112FD3C5B91E73)

EXCEL.EXE (PID: 2924 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Program Files (x86)\NetCDF4Excel\NetCDF4Excel_2007.xlsm" MD5: 4A871771235598812032C822E6F68F19)

cleanup

Sigma Signatures

System Summary

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.60, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 3752, Protocol: tcp, SourceIp: 192.168.2.17, SourceIsIpv6: false, SourcePort: 49729

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.17, DestinationIsIpv6: false, DestinationPort: 49729, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 3752, Protocol: tcp, SourceIp: 13.107.246.60, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe, ProcessId: 3416, TargetFilename: C:\Program Files (x86)\NetCDF4Excel\NetCDF4Excel_2007.xlsm

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: NetCDF4Excel_3_3_setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe

Window detected: &InstallCancelNullsoft Install System v2.46Please review the license agreement before installing NetCDF4Excel. If you accept all terms of the agreement click the check box below. Click Install to start the installation.NetCDF4Excel : NetCDF add-in for ExcelCopyright (c) 2008-2016 Alexander Bruhns. All Rights Reserved.This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation either version 3 of the License or (at your option) any later version.This program is distributed in the hope that it will be useful but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program. If not see <http://www.gnu.org/licenses/>.NetCDF4Excel uses NetCDF : Copyright 1993-2008 University Corporation for Atmospheric Research/UnidataI accept

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.17:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.17:49731 version: TLS 1.2

Source: Joe Sandbox View

IP Address: 13.107.246.60 13.107.246.60

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /rules/excel.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/excel.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net

Source: NetCDF4Excel_3_3_setup.exe, uninstaller.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: NetCDF4Excel_3_3_setup.exe, uninstaller.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ~DF88F2325B87F19935.TMP.4.dr	String found in binary or memory: http://www.gnu.0org/
Source: ~DF88F2325B87F19935.TMP.4.dr	String found in binary or memory: http://www.gnu.o
Source: ~DF88F2325B87F19935.TMP.4.dr	String found in binary or memory: http://www.gnu.or
Source: ~DF88F2325B87F19935.TMP.4.dr	String found in binary or memory: http://www.gnu.org/licenses/
Source: ~DF88F2325B87F19935.TMP.4.dr	String found in binary or memory: http://www.gnu.orgF/
Source: WefGallery[1]0.4.dr	String found in binary or memory: https://github.com/OfficeDev/office-js/blob/release/LICENSE.md
Source: WefGallery[1]0.4.dr	String found in binary or memory: https://raw.githubusercontent.com/jakearchibald/es6-promise/master/LICENSE

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729

Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.17:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.17:49731 version: TLS 1.2

System Summary

Document contains an embedded VBA macro with suspicious strings

Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: ' ncId = NC_CreateFile(ncFileName)
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: NC_WriteFile False
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: NC_WriteFile True
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: Public Declare Function SetEnvironmentVariable Lib "kernel32" Alias "SetEnvironmentVariableA" (ByVal lpName As String, ByVal lpValue As String) As Long
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: Public Declare Function SetEnvironmentVariable Lib "kernel32" Alias "SetEnvironmentVariableA" (ByVal lpName As String, ByVal lpValue As String) As Long
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: '''Private Declare Function GetTickCount Lib "Kernel32" () As Long
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: Public Function NC_CreateFile(ByVal ncFileName As String) As Long
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: Err.Raise ERR_NBR__CANT_OPEN_NC_FILE, "NC_CreateFile", ERR_MSG__CANT_OPEN_NC_FILE & " " & ncFileName
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: NC_CreateFile = NC_OpenFile(ncFileName, NC_WRITE)
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: strArray = Split(Environ("PATH"), ";")
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: SetEnvironmentVariable "PATH", Environ("PATH") + ";" + Application.ActiveWorkbook.path
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: MsgBox ("Fatal Error : VbNc.dll not found! Please add path to VbNC.dll to system PATH environment variable." & vbNewLine & vbNewLine & "Actual Path is : " & Environ("PATH"))
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: Public Sub NC_WriteFile(ByVal updateExistingFile As Boolean)
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: ncId = NC_CreateFile(ncFileName)
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: ' ncId = NC_CreateFile(ncFileName)
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: NC_WriteFile False
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: NC_WriteFile True
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: Public Declare Function SetEnvironmentVariable Lib "kernel32" Alias "SetEnvironmentVariableA" (ByVal lpName As String, ByVal lpValue As String) As Long
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: Public Declare Function SetEnvironmentVariable Lib "kernel32" Alias "SetEnvironmentVariableA" (ByVal lpName As String, ByVal lpValue As String) As Long
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: '''Private Declare Function GetTickCount Lib "Kernel32" () As Long
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: Public Function NC_CreateFile(ByVal ncFileName As String) As Long
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: Err.Raise ERR_NBR__CANT_OPEN_NC_FILE, "NC_CreateFile", ERR_MSG__CANT_OPEN_NC_FILE & " " & ncFileName
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: NC_CreateFile = NC_OpenFile(ncFileName, NC_WRITE)
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: strArray = Split(Environ("PATH"), ";")
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: SetEnvironmentVariable "PATH", Environ("PATH") + ";" + Application.ActiveWorkbook.path
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: MsgBox ("Fatal Error : VbNc.dll not found! Please add path to VbNC.dll to system PATH environment variable." & vbNewLine & vbNewLine & "Actual Path is : " & Environ("PATH"))
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: Public Sub NC_WriteFile(ByVal updateExistingFile As Boolean)
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: ncId = NC_CreateFile(ncFileName)
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: ' ncId = NC_CreateFile(ncFileName)
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: NC_WriteFile False
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: NC_WriteFile True
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: Public Declare Function SetEnvironmentVariable Lib "kernel32" Alias "SetEnvironmentVariableA" (ByVal lpName As String, ByVal lpValue As String) As Long
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: Public Declare Function SetEnvironmentVariable Lib "kernel32" Alias "SetEnvironmentVariableA" (ByVal lpName As String, ByVal lpValue As String) As Long
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: '''Private Declare Function GetTickCount Lib "Kernel32" () As Long
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: Public Function NC_CreateFile(ByVal ncFileName As String) As Long
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: Err.Raise ERR_NBR__CANT_OPEN_NC_FILE, "NC_CreateFile", ERR_MSG__CANT_OPEN_NC_FILE & " " & ncFileName
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: NC_CreateFile = NC_OpenFile(ncFileName, NC_WRITE)
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: strArray = Split(Environ("PATH"), ";")
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: SetEnvironmentVariable "PATH", Environ("PATH") + ";" + Application.ActiveWorkbook.path
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: MsgBox ("Fatal Error : VbNc.dll not found! Please add path to VbNC.dll to system PATH environment variable." & vbNewLine & vbNewLine & "Actual Path is : " & Environ("PATH"))
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: Public Sub NC_WriteFile(ByVal updateExistingFile As Boolean)
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: ncId = NC_CreateFile(ncFileName)

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel' : found possibly 'ADODB.Stream' functions open, read, write
Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel_Common' : found possibly 'ADODB.Stream' functions mode, open, read, write
Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel_Interface' : found possibly 'ADODB.Stream' functions mode, open, read, write
Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel_Menu' : found possibly 'ADODB.Stream' functions mode, open, read, write
Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel_Write' : found possibly 'ADODB.Stream' functions mode, open, read, write
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel' : found possibly 'ADODB.Stream' functions open, read, write
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel_Common' : found possibly 'ADODB.Stream' functions mode, open, read, write
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel_Interface' : found possibly 'ADODB.Stream' functions mode, open, read, write
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel_Menu' : found possibly 'ADODB.Stream' functions mode, open, read, write
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel_Write' : found possibly 'ADODB.Stream' functions mode, open, read, write
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel' : found possibly 'ADODB.Stream' functions open, read, write
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel_Common' : found possibly 'ADODB.Stream' functions mode, open, read, write
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel_Interface' : found possibly 'ADODB.Stream' functions mode, open, read, write
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel_Menu' : found possibly 'ADODB.Stream' functions mode, open, read, write
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel_Write' : found possibly 'ADODB.Stream' functions mode, open, read, write

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel_Common' : found possibly 'WScript.Shell' functions environment, run, environ
Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel_Menu' : found possibly 'WScript.Shell' functions environment, popup, environ
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel_Common' : found possibly 'WScript.Shell' functions environment, run, environ
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel_Menu' : found possibly 'WScript.Shell' functions environment, popup, environ
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel_Common' : found possibly 'WScript.Shell' functions environment, run, environ
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel_Menu' : found possibly 'WScript.Shell' functions environment, popup, environ

Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: nc_close ncId
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: nc_close ncId
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: ' ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: ' nc_close ncId
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: ' nc_close ncId
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: nc_close ncId
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: nc_close ncId
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: ' ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: ' nc_close ncId
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: Public Const ERR_NBR__CANT_OPEN_NC_FILE As Long = 600
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: Public Const ERR_MSG__CANT_OPEN_NC_FILE As String = "Cannot open Netcdf file"
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: 'If nc_close(ncId) <> 0 Then
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: 'If nc_open(ncFileName, NC_WRITE, ncId) <> 0 Then
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: Err.Raise ERR_NBR__CANT_OPEN_NC_FILE, "NC_CreateFile", ERR_MSG__CANT_OPEN_NC_FILE & " " & ncFileName
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: nc_close ncId
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: NC_CreateFile = NC_OpenFile(ncFileName, NC_WRITE)
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: Public Function NC_OpenFile(ByVal ncFileName As String, ByVal mode As Long) As Long
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: If nc_open(ncFileName, mode, ncId) <> NC_NOERR Then
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: Err.Raise ERR_NBR__CANT_OPEN_NC_FILE, "NC_OpenFile", ERR_MSG__CANT_OPEN_NC_FILE & " " & ncFileName
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: NC_OpenFile = ncId
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: Public Declare Function nc_open Lib "VbNc.dll" (ByVal path As String, ByVal mode As Long, ByRef ncId As Long) As Long
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: Public Declare Function nc_close Lib "VbNc.dll" (ByVal ncId As Long) As Long
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: Attribute VB_Name = "NetCDF4Excel_Layout"
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: ncId = NC_OpenFile(ncFileName, NC_WRITE)
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: nc_close ncId
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: Sub Workbook_Open()
Source: NetCDF4Excel_2007.xlsm.0.dr	OLE, VBA macro line: Sub Workbook_BeforeClose(Cancel As Boolean)
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: nc_close ncId
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: nc_close ncId
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: ' ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: ' nc_close ncId
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: ' nc_close ncId
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: nc_close ncId
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: nc_close ncId
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: ' ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: ' nc_close ncId
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: Public Const ERR_NBR__CANT_OPEN_NC_FILE As Long = 600
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: Public Const ERR_MSG__CANT_OPEN_NC_FILE As String = "Cannot open Netcdf file"
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: 'If nc_close(ncId) <> 0 Then
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: 'If nc_open(ncFileName, NC_WRITE, ncId) <> 0 Then
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: Err.Raise ERR_NBR__CANT_OPEN_NC_FILE, "NC_CreateFile", ERR_MSG__CANT_OPEN_NC_FILE & " " & ncFileName
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: nc_close ncId
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: NC_CreateFile = NC_OpenFile(ncFileName, NC_WRITE)
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: Public Function NC_OpenFile(ByVal ncFileName As String, ByVal mode As Long) As Long
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: If nc_open(ncFileName, mode, ncId) <> NC_NOERR Then
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: Err.Raise ERR_NBR__CANT_OPEN_NC_FILE, "NC_OpenFile", ERR_MSG__CANT_OPEN_NC_FILE & " " & ncFileName
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: NC_OpenFile = ncId
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: Public Declare Function nc_open Lib "VbNc.dll" (ByVal path As String, ByVal mode As Long, ByRef ncId As Long) As Long
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: Public Declare Function nc_close Lib "VbNc.dll" (ByVal ncId As Long) As Long
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: Attribute VB_Name = "NetCDF4Excel_Layout"
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: ncId = NC_OpenFile(ncFileName, NC_WRITE)
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: nc_close ncId
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: Sub Workbook_Open()
Source: 1AC88B16.tmp.4.dr	OLE, VBA macro line: Sub Workbook_BeforeClose(Cancel As Boolean)
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: nc_close ncId
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: nc_close ncId
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: ' ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: ' nc_close ncId
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: ' nc_close ncId
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: nc_close ncId
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: nc_close ncId
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: ' ncId = NC_OpenFile(ncFileName, NC_NOWRITE)
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: ' nc_close ncId
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: Public Const ERR_NBR__CANT_OPEN_NC_FILE As Long = 600
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: Public Const ERR_MSG__CANT_OPEN_NC_FILE As String = "Cannot open Netcdf file"
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: 'If nc_close(ncId) <> 0 Then
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: 'If nc_open(ncFileName, NC_WRITE, ncId) <> 0 Then
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: Err.Raise ERR_NBR__CANT_OPEN_NC_FILE, "NC_CreateFile", ERR_MSG__CANT_OPEN_NC_FILE & " " & ncFileName
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: nc_close ncId
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: NC_CreateFile = NC_OpenFile(ncFileName, NC_WRITE)
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: Public Function NC_OpenFile(ByVal ncFileName As String, ByVal mode As Long) As Long
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: If nc_open(ncFileName, mode, ncId) <> NC_NOERR Then
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: Err.Raise ERR_NBR__CANT_OPEN_NC_FILE, "NC_OpenFile", ERR_MSG__CANT_OPEN_NC_FILE & " " & ncFileName
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: NC_OpenFile = ncId
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: Public Declare Function nc_open Lib "VbNc.dll" (ByVal path As String, ByVal mode As Long, ByRef ncId As Long) As Long
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: Public Declare Function nc_close Lib "VbNc.dll" (ByVal ncId As Long) As Long
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: Attribute VB_Name = "NetCDF4Excel_Layout"
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: ncId = NC_OpenFile(ncFileName, NC_WRITE)
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: nc_close ncId
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: Sub Workbook_Open()
Source: ~DF88F2325B87F19935.TMP.4.dr	OLE, VBA macro line: Sub Workbook_BeforeClose(Cancel As Boolean)

Source: NetCDF4Excel_3_3_setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.expl.evad.winEXE@5/21@0/1

Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe

File created: C:\Program Files (x86)\NetCDF4Excel

Jump to behavior

Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NetCDF4Excel

Jump to behavior

Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsf5BB9.tmp

Jump to behavior

Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel' : VBA code
Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel_Common' : VBA code
Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel_Filter' : VBA code
Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel_Interface' : VBA code
Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel_Layout' : VBA code
Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel_Menu' : VBA code
Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel_Read' : VBA code
Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel_Write' : VBA code
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel' : VBA code
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel_Common' : VBA code
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel_Filter' : VBA code
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel_Interface' : VBA code
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel_Layout' : VBA code
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel_Menu' : VBA code
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel_Read' : VBA code
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel_Write' : VBA code
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel' : VBA code
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel_Common' : VBA code
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel_Filter' : VBA code
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel_Interface' : VBA code
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel_Layout' : VBA code
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel_Menu' : VBA code
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel_Read' : VBA code
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel_Write' : VBA code

Source: NetCDF4Excel_3_3_setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe

File read: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe "C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 8192
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Program Files (x86)\NetCDF4Excel\NetCDF4Excel_2007.xlsm"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 8192	Jump to behavior

Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Section loaded: cscapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: NetCDF4Excel_2007.xlsm.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\NetCDF4Excel\NetCDF4Excel_2007.xlsm
Source: NetCDF4Excel_2007.xlsm.lnk0.0.dr	LNK file: ..\..\..\Program Files (x86)\NetCDF4Excel\NetCDF4Excel_2007.xlsm
Source: Uninstall.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\NetCDF4Excel\uninstaller.exe

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Data Obfuscation

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel_Layout' : High number of GOTO operations
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel_Layout' : High number of GOTO operations
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel_Layout' : High number of GOTO operations

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel_Layout' : High number of string operations
Source: NetCDF4Excel_2007.xlsm.0.dr	Stream path 'VBA/NetCDF4Excel_Write' : High number of string operations
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel_Layout' : High number of string operations
Source: 1AC88B16.tmp.4.dr	Stream path 'VBA/NetCDF4Excel_Write' : High number of string operations
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel_Layout' : High number of string operations
Source: ~DF88F2325B87F19935.TMP.4.dr	Stream path 'VBA/NetCDF4Excel_Write' : High number of string operations

Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	File created: C:\Program Files (x86)\NetCDF4Excel\VbNc.dll			Jump to dropped file
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	File created: C:\Program Files (x86)\NetCDF4Excel\uninstaller.exe			Jump to dropped file

Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NetCDF4Excel	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NetCDF4Excel\Uninstall.lnk	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NetCDF4Excel\NetCDF4Excel_2007.xlsm.lnk	Jump to behavior

Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\NetCDF4Excel\VbNc.dll			Jump to dropped file
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\NetCDF4Excel\uninstaller.exe			Jump to dropped file

Source: C:\Windows\splwow64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	51 Scripting	Valid Accounts	Windows Management Instrumentation	51 Scripting	1 Process Injection	2 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NetCDF4Excel_3_3_setup.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\NetCDF4Excel\VbNc.dll	0%	ReversingLabs
C:\Program Files (x86)\NetCDF4Excel\uninstaller.exe	2%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.gnu.0org/	~DF88F2325B87F19935.TMP.4.dr	false		unknown
http://www.gnu.o	~DF88F2325B87F19935.TMP.4.dr	false		unknown
http://www.gnu.or	~DF88F2325B87F19935.TMP.4.dr	false		unknown
http://nsis.sf.net/NSIS_Error	NetCDF4Excel_3_3_setup.exe, uninstaller.exe.0.dr	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	NetCDF4Excel_3_3_setup.exe, uninstaller.exe.0.dr	false	URL Reputation: safe	unknown
https://raw.githubusercontent.com/jakearchibald/es6-promise/master/LICENSE	WefGallery[1]0.4.dr	false		unknown
http://www.gnu.orgF/	~DF88F2325B87F19935.TMP.4.dr	false		unknown
http://www.gnu.org/licenses/	~DF88F2325B87F19935.TMP.4.dr	false		unknown
https://github.com/OfficeDev/office-js/blob/release/LICENSE.md	WefGallery[1]0.4.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.107.246.60	s-part-0032.t-0009.t-msedge.net	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543738
Start date and time:	2024-10-28 11:02:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NetCDF4Excel_3_3_setup.exe
Detection:	MAL
Classification:	mal60.expl.evad.winEXE@5/21@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, TextInputHost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.109.68.129, 52.113.194.132, 184.28.90.27, 95.101.111.168, 95.101.111.132, 20.42.73.31, 184.27.96.43
Excluded domains from analysis (whitelisted): fp.msedge.net, e1324.dscd.akamaiedge.net, afdxtest.z01.azurefd.net, slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, otelrules.afd.azureedge.net, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, onedscolprdeus21.eastus.cloudapp.azure.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, www.bing.com, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com, uci.cdn.office.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.m
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: NetCDF4Excel_3_3_setup.exe

Simulations

Behavior and APIs

Time	Type	Description
06:04:07	API Interceptor	1x Sleep call for process: splwow64.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.246.60	https://protect-us.mimecast.com/s/wFHoCqxrAnt7V914iZaD1v	Get hash	malicious	Unknown	Browse	www.mimecast.com/Customers/Support/Contact-support/
13.107.246.60	http://wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5	Get hash	malicious	Unknown	Browse	wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0032.t-0009.t-msedge.net	Sars Urgent Notice.pdf	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWorm	Browse	13.107.246.60
	17300404843e9a9cd60c979d5f31f87fd3507a95184b8c8f214e012399211d3578c4cc4181584.dat-decoded.exe	Get hash	malicious	Remcos	Browse	13.107.246.60
	https://link.edgepilot.com/s/e9b35021/KNsrNVGwOUukNjaKm_560w?u=https://publicidadnicaragua.com/	Get hash	malicious	Unknown	Browse	13.107.246.60
	9jJ4aVtoHG.vbs	Get hash	malicious	LonePage	Browse	13.107.246.60
	j6qRCRPE7S.ps1	Get hash	malicious	Metasploit	Browse	13.107.246.60
	https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/taxigiarebienhoa.vn/nini/ybmex/captcha/Z3VsYW1yYXN1bC5jaGVwdXdhbGFAY2V2YWxvZ2lzdGljcy5jb20	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.60
	https://docs.google.com/drawings/d/1agK-6fGF4y65hrPDNlHipoTNyumPU-yxdwKLkQWhsQI/preview?pli=1oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YE	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://link.edgepilot.com/s/8e0e5379/EMW5cxymxkqj1qgquAdAJg?u=https://1drv.ms/o/c/67a50aba8b4bc7df/Es0QkMhT9wJGqs_vzb8xaRQBgzED6dWk5_dCMe34N16rYQ?e=5%253aTtRWoI%26sharingv2=true%26fromShare=true%26at=9&c=E,1,DNZ_Csfpwg3nzWxVo2TSq2LzcEM3C6hdkfA-QbvL5dwYrcj0RsSt_vroZV-UqAThZkP5E_WMmdbQ82a_nveA3iNTPpg_CIcQxQFCbK60ykcRIVrxnkr2VnkbdtuE&typo=1	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://23.245.109.208.host.secureserver.net/E5V7V5K0D7J7U1G8T1M8U3B4G7B4C0Y7M4M4N1J5K4K6Y6N5R4&c=E,1,OlGTQS9-XwC2vBMWr7I6ylXZJam5iCAEz8vCZAxOsyVrFii_1IhqZZqiTz_dLP-ondxd1F0_mQoffiXjC_RNTQQ_48xVwrK55zuEfYrxqUa2Wr6UOEIpqcM,&typo=1	Get hash	malicious	Unknown	Browse	13.107.246.60

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://startuppro.wethemez.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVVXdzRVWEk9JnVpZD1VU0VSMjExMDIwMjRVNTIxMDIxNTI=N0123	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.253.45
	Sars Urgent Notice.pdf	Get hash	malicious	Unknown	Browse	13.107.246.60
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	51.116.106.35
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	40.76.30.86
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	52.153.222.253
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	21.241.133.135
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	22.214.93.31
	nabarm5.elf	Get hash	malicious	Unknown	Browse	52.253.38.74
	nklm68k.elf	Get hash	malicious	Unknown	Browse	22.204.37.93
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	52.233.221.45

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.60
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.60
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.60
	S6DgRF1SSD.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.60
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.60
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.60
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	13.107.246.60
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.60
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.60

Process:	C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	299329
Entropy (8bit):	7.984080930078783
Encrypted:	false
SSDEEP:	6144:rJshnnRODnrjXOCzsFD2orxJjNEiPHbzPI1fIQIuMsJDKapivqEjy0AOS:6VnknrjX36XrxJx7U1NIuJJDlwvPjbS
MD5:	51787F4529E0447B43CAB3DBD9217670
SHA1:	F1C79713F4616C81DCEAB560D7573AD4E7A29F70
SHA-256:	0CBA1642B60A9F1E5F5D42365784F4CCD07F62314A9BB9462911AA1F5DBD419F
SHA-512:	F734F2819476A2F5D63BCC0DD0C201766F8EB5A7605B18C44B2C5A813E0CD72ECFF3070337989ECDABFB342AD061E19044F06327A10DEB9D3E1D5472DC5E781D
Malicious:	false
Reputation:	low
Preview:	PK..........!....e....J.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.N.0..#....(v.B...v.# ..0.....my...NRX`U.EpI.O....L/6]..X..S=Q.F....F.....UE..AH...ER.....6#U...Q-s.n...; .2F.,R..,M...%....)2F...P..O\.C..r#.;%s.U.c._O.(.9x.,B.:..H.Xx...N.5..E...\.0.[d.c..^..>F..JK. .Z..D....G.w..w-.(.au......f..c*.yJ+}.....j.X.z.;.%]F..........Ifx.......F.d.....Mh...%.0#.....nw.c.-.t.,}..r...Gt..pS.o...'P.l7u.%.o.}m%.)..d..~........aa..G. .,.O........6.&.........PK..........!..U0#....L..

C:\Program Files (x86)\NetCDF4Excel\VbNc.dll

Download File

Process:	C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	612864
Entropy (8bit):	4.238089772511394
Encrypted:	false
SSDEEP:	6144:ONAYQxNDLOYDEf1qvS/nPGTmkijOcprYwW2W/HrA4oG:OKLgqvS/nPGKkEW2W/HrA4oG
MD5:	AA317384D9366CD7F0CB792BCAD0F03A
SHA1:	8578CE3BD193F7E451684AB37C67955EAE3BB1E6
SHA-256:	3CAA6169055AFBA19FFBF41FB838980406390123A84C0B5EE0A4CA0908FE493E
SHA-512:	2E052A9EC8020A101AEA88073F60448564F18834306CECEF2AE18462FAE6B1CB1A65C6ACBEAADEC73509E44B1B556E4E8CE7F0D2D680A905F4B6F839D668B30D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........U.{...{...{..[5S..{....`..{....U..{....X..{...{...{....a.M{....P..{....V..{..Rich.{..................PE..L......U...........!.........R......Mh....... ..........................................................................-.......(....`.......................p.. :......................................@............ ..0............................text............................... ..`.rdata....... ......................@..@.data....2... ......................@....rsrc........`......................@..@.reloc..`C...p...D..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\NetCDF4Excel\uninstaller.exe

Download File

Process:	C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	36743
Entropy (8bit):	6.329585173465404
Encrypted:	false
SSDEEP:	768:AHJd0TpH2+bQ2dUWVX9Hfv1JMWmtLEJOyuBxG0D3mjfS3XJXJRnm3MwPi46gOW:ApgpHzb9dZVX9fHMvG0D3XJIMwKcl
MD5:	EBC369144EC4BCBCBCA6D08077943250
SHA1:	7FB1B3827F4E6A03F9601FF8EA18CECB33B13D18
SHA-256:	6A64A2D3555DBB7388B66CFB71FBA6D9756C416197E50D1EEC5958C82C3242CE
SHA-512:	A82703653AD1974BF37A0F1DD03A8E88E3B190973AF04347499C6813C5266AED268A43D9AACDFA73C0C07A083A2DD05EB501B1758E8CC2FD9F7B7175E7D4F5A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t.......p...............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc........p.......z..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\R6H1M60R\osfintl[1].xml

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:	3:D90aKb:JFKb
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Reputation:	high, very likely benign file
Preview:	<root></root>

C:\Users\user\AppData\Local\Microsoft\Office\Features\1-7FeatureCache.txt (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	764
Entropy (8bit):	2.71278771083604
Encrypted:	false
SSDEEP:	12:IAMInvpKJHKmr4P7IpJ7SS+iIEKACn2GZn2QYO3QqAvpX5Cwo5WHWn:SInvpKAmr4olDKA8xpiOnAvJ5poIHWn
MD5:	AC38086FFCA4775AE13DCD996C96941E
SHA1:	040B88E66E3D661DA2BD5CD1476E7770642E115A
SHA-256:	5B9DF6F914394674538AE737C6EBF3447CC2B6F28D11448B75A346C295462CB9
SHA-512:	9A18066847E0D2E36F4E692899DC6B87F5CC7CD7F56FE56C6EE319DA6D136CDD0FE505CF5271EB35FA9A3DF665A25E0BD339C51AB3258A7EC66C4739C7510BD4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1.7.8.8.6.5.8.,.1.1.9.6.3.7.8.,.3.7.4.6.3.7.6.,.2.5.5.0.5.0.8.8.,.1.2.5.,.1.1.9.,.3.0.0.4.9.2.6.8.,.;.3.2.9.4.5.8.7.9.9.,.3.7.4.6.3.7.8.,.3.0.1.5.3.7.2.1.,.6.3.6.4.3.3.4.,.2.3.7.1.6.5.1.,.6.5.4.0.2.1.5.,.2.4.6.0.9.2.5.8.,.1.0.4.9.5.2.3.4.,.4.0.6.9.3.5.8.2.,.6.3.6.4.3.1.8.,.3.0.1.2.3.4.6.6.,.6.3.7.1.6.9.4.,.2.7.1.5.3.4.9.7.,.5.9.2.2.3.4.2.3.,.1.5.6.1.9.5.8.,.5.7.9.9.9.6.6.1.,.5.8.4.2.5.8.6.0.,.2.7.3.6.0.0.9.5.,.6.3.0.6.3.0.9.9.,.6.3.6.4.3.3.7.,.6.3.6.4.3.3.0.,.6.1.7.0.7.3.0.7.,.6.3.6.4.3.3.1.,.6.7.4.8.3.9.6.1.4.,.3.3.7.9.1.6.2.,.1.6.5.7.4.5.3.,.4.7.3.8.2.9.4.8.,.1.6.5.7.4.5.2.,.1.0.6.9.5.5.2.,.5.2.9.1.0.0.0.0.,.1.3.5.2.5.8.6.,.1.7.7.1.6.5.7.,.1.3.5.2.5.8.7.,.1.0.2.3.8.6.4.,.1.0.2.3.6.3.8.,.6.3.7.1.6.9.5.,.4.8.1.9.5.5.3.8.,.1.4.6.1.9.5.3.,.6.3.6.4.3.3.2.,.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1AC88B16.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	299329
Entropy (8bit):	7.984080930078783
Encrypted:	false
SSDEEP:	6144:rJshnnRODnrjXOCzsFD2orxJjNEiPHbzPI1fIQIuMsJDKapivqEjy0AOS:6VnknrjX36XrxJx7U1NIuJJDlwvPjbS
MD5:	51787F4529E0447B43CAB3DBD9217670
SHA1:	F1C79713F4616C81DCEAB560D7573AD4E7A29F70
SHA-256:	0CBA1642B60A9F1E5F5D42365784F4CCD07F62314A9BB9462911AA1F5DBD419F
SHA-512:	F734F2819476A2F5D63BCC0DD0C201766F8EB5A7605B18C44B2C5A813E0CD72ECFF3070337989ECDABFB342AD061E19044F06327A10DEB9D3E1D5472DC5E781D
Malicious:	false
Preview:	PK..........!....e....J.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.N.0..#....(v.B...v.# ..0.....my...NRX`U.EpI.O....L/6]..X..S=Q.F....F.....UE..AH...ER.....6#U...Q-s.n...; .2F.,R..,M...%....)2F...P..O\.C..r#.;%s.U.c._O.(.9x.,B.:..H.Xx...N.5..E...\.0.[d.c..^..>F..JK. .Z..D....G.w..w-.(.au......f..c*.yJ+}.....j.X.z.;.%]F..........Ifx.......F.d.....Mh...%.0#.....nw.c.-.t.,}..r...Gt..pS.o...'P.l7u.%.o.}m%.)..d..~........aa..G. .,.O........6.&.........PK..........!..U0#....L..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\5IQBCSP1\WefGalleryExcel[1]

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2305
Entropy (8bit):	5.063068378811868
Encrypted:	false
SSDEEP:	48:mc5s03UppOX4DduIuoI5XJmEiTu7JumJp1:mc5VUpUoQI12EEiUAmd
MD5:	ACF3E62C1EEC75FB18E9BCA42A6B2608
SHA1:	32CC4E20C74C77C45F2C1C0A1B3920ED16B2E125
SHA-256:	07833DB8AAF1660C735620BE6F608D2E41D0F0151C2F72F4F1451D9B868FC18F
SHA-512:	B67F17A0665FB83A44488EC166D32C3B0A7D02CDE82E4643373290D0A220D4FBD8FE914107B7BE93228AB2F41AAA5B7BA947C89AE453FED0B044DAB479BD56B2
Malicious:	false
Preview:	h1#MainTitle..{....color:#217346;..}....a.TabSelected{....color:#217346;..}....div.Moe.mouseover div.MoeInner{....border-color:#217346;..}....div.Moe.click div.MoeInner{....border-color:#439467 ;..}....div.Moe.selected div.MoeInner{....border-color:#439467 ;....background-color:#e9f5ee;..}....div.Moe.selected.NotFocused div.MoeInner{....border-color:#E6E6E6;..background-color:#E6E6E6;..}.....menuOption:hover, .menuOption:focus {....background-color:#e9f5ee;..}.....HostSpecificBorderColor {....border:1px solid #217346;..}.....primaryButton..{....background: #107C41;..border: 1px solid #107C41;..}.....primaryButton:hover..{..background: #0F703B;..border: 1px solid #0F703B;..}.....primaryButton:active..{..background: #0C5F32;..border: 1px solid #0C5F32;..}....input#BtnAction:focus, input#BtnCancel:focus, input#BtnTrustAll:focus, input#BtnDone:focus..{..border-color: #86bfa0;..background-color: #e9f5ee;..outline: 2px dashed transparent !important;..}....input#BtnAction:hover, input#BtnCanc

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\5IQBCSP1\office[1]

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	257
Entropy (8bit):	6.660043218977592
Encrypted:	false
SSDEEP:	6:6v/lhPKLMR/bLhD+vpAttqgzOIvGbhYj4eqns0Svx7K5/2up:6v/7iQ/bcxAtwgzHwhUySy2c
MD5:	E0D4EAA6ED11E2285415EF1C30BA9E08
SHA1:	272D0E61E811F72B9067DAA0189733C9E5641F94
SHA-256:	8179FFC94A6C0ABD5C7C59713548D46B93AE57B99C8DCF691331C759926639E9
SHA-512:	8F8F4BD438BE980691DB85924EA9BB5AEA1DE6928CBFD64F8553F4FC04E5ACB70CFD95AE45945C02CA398614BAB71DDF241E54970D8505196D1090C22997A91E
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....sRGB.........gAMA......a.....IDATXG.Q..0..........&.I<.G.+...q.(T....h..j..54)b.x}Jby...z.&p....a.5<..c<...Cy?..h.5].T@e*L...%.....x E!a.b.......:.R-... .`.....Zp$F.jp..<Fcs...Z.u.......y...a.H.<.p.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\96LGQ1XY\BusinessBarClose_16x16x32[1]

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	991
Entropy (8bit):	6.037826998475618
Encrypted:	false
SSDEEP:	24:K1hpunQWwjx82lY2T32HEVDFyJ3VUbMG9+nH6/:oitNn2VKJ3+Im/
MD5:	71CE8D1B7EF3522D38AD8DD7D9DC3394
SHA1:	9B346607A84236D3BA7492873E21F3050418A297
SHA-256:	524E0AF170BB1D03E5DF87B58DF28A623F3533DFC95A203AB46829F315B57089
SHA-512:	F8436C8C954B53ECF6CF71323FE7C769ACBECDA2C5149D7B1F223B07D0EDF9A576C1D7F5C44EA49241C9F9795BCA43FA845FA886A142BA06A2CD4C1B4B78287F
Malicious:	false
Preview:	.PNG........IHDR................a....tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:99632CDD585711E1BDED974F503933DF" xmpMM:DocumentID="xmp.did:99632CDE585711E1BDED974F503933DF"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:99632CDB585711E1BDED974F503933DF" stRef:documentID="xmp.did:99632CDC585711E1BDED974F503933DF"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.......UIDATx..RA.. .k>.G...A.....N2u.!H...C.3.....Uu.%..n...".......B.R... . 6..- ...+..0...'...0A....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\96LGQ1XY\WefGallery[1]

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	16334
Entropy (8bit):	4.9329405724384925
Encrypted:	false
SSDEEP:	192:6LcuqEsHND0b6bXUj1DG32CcMY4v1ueo0c+5z/4bmoYRDvfIvcgPG2TJ+ghnKW7d:vu9Li32ClYqA/0c+5zgbm4DCA+ukfZq
MD5:	7D3CA0B71EAD908BF9750D2C88B211F3
SHA1:	3B3EBFEA7BFFCFAE841D090F88850818395D6DB6
SHA-256:	CA3A5FC287AEA79797ED659772C1A166D0C961344FA4EE161CC1C21A818EF90D
SHA-512:	1DB2274B6DA6B01636822340E409EC64E17812BD0BF8A41B98CA550C7FB9E70219F7983DFE55E5982FF2A15EE0BE3788778E349D45B64E0C2D73FF7FEBE9C985
Malicious:	false
Preview:	html {.... overflow:hidden;....}....body..{ .. height: 100%;.. width: 100%;.. overflow:hidden;.... margin:0px 0px 0px 0px;.. padding:0px 0px 0px 0px;.... font-size:62.5%;.. font-family: 'Segoe UI', Candara, 'Bitstream Vera Sans';.. color:#505050;.... scrollbar-base-color:white;.. scrollbar-arrow-color:#ababab;.. scrollbar-lightshadow-color:#ababab;.. scrollbar-highlight-color:#ababab;.. scrollbar-darkshadow-color:white;.. scrollbar-track-color:white;.. scrollbar-background-color:white;.. scrollbar-face-color:white;..}....div#Header {.. position: absolute;.. top:0;.. bottom:0;.. left:0;.. overflow: hidden;.. height: 62px;.. width:100%;..}....h1#MainTitle{.. height:32px;.. overflow:hidden;.. cursor: default;.. display: inline;..}....div#Options{.. height:30px;..}....div#GalleryContainer..{.. position:absolute;.. top:53px;.. left:0px;.. right:0px;.. bottom:70px;.. width: 100%;..}..di

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GO30WR0E\WefGalleryExcelInsert[1]

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines (314), with CRLF line terminators
Category:	dropped
Size (bytes):	8241
Entropy (8bit):	4.316001082728262
Encrypted:	false
SSDEEP:	96:B2nO6XrHoSNmTuJnd+isMUS0C9FkDq7Zpx49VEHx9TPNKG3M5:B2nO6bH5mCcLA2Dq7vx4rEHe
MD5:	4E4E295BE041F417CC82E73C595B4F35
SHA1:	14C4A17CF6BDCAB0CCA4CE23621BF88EF2393F27
SHA-256:	A8C19723CF2D3086C6167DF9D5B0757D1521637F9045DE3E3579684C64F06254
SHA-512:	78D9484E0B74F426D469046D6BBF916436239670934C58405FA8D468F23ED500320BBFF3BCFD3D642FA96C297B7802E64BA394DDAABC25593F3EDB0F1C064F45
Malicious:	false
Preview:	......<!DOCTYPE html>..<html dir="ltr">..<head>.. <title>Office Add-ins</title>.. <meta http-equiv="X-UA-Compatible" content="IE=10" charset="UTF-8"/>.... CSS for MOE dialog shared by all apps -->.. <link rel="stylesheet" href="WefGallery.css" type="text/css" />.. CSS w/ distinct color values for each app -->.. <link rel="stylesheet" href="WefGalleryExcel.css" type="text/css" />.. <script type="text/javascript">window.Type=Function;Type.registerNamespace=function(ns){window[ns]={};};Type.prototype.registerClass=function(cls){cls={};};</script>.. <script type="text/javascript" src="wefgallery_strings.js"></script>.. <script type="text/javascript" src="WefGallery.js"></script>....</head>.. For backward compatibility, we will keep showIt() for a while -->....<body onload="WEF.showIt ? WEF.showIt() : showIt()">.... <div id="MainPage">.. <header>.. <div id="Header">.... Title changes depending on context -

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GO30WR0E\WefGallery[1]

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	ASCII text, with very long lines (64712), with CRLF line terminators
Category:	dropped
Size (bytes):	89597
Entropy (8bit):	5.278023439047551
Encrypted:	false
SSDEEP:	1536:SKM3or4YtF/6fWd3jgTOk/ULeY0BgrIIt7iBbcVozTsl+bYneo+WjmQ+kvlOX7G4:SZ3orT+cByE3S
MD5:	B466CBD20CF729088641FE8B058EFF7E
SHA1:	C905FC5730D40192E61FBDF02ACDCFB53EB43BF9
SHA-256:	37D5AC391F281B123C5E444380D9508898F83BCABE4CFA858BA7D70D95209834
SHA-512:	685378A7890C607CFAB3DDF98B0DBE0E1B0530FA15D5F58D29CB0563DE3BC236C3494101291EBECC376920B0115E697412D74A6BC614BB04EF0404966711C3CA
Malicious:	false
Preview:	/* Office rich client gallery insertion dialog JavaScript file /..../...Copyright (c) Microsoft Corporation. All rights reserved.../....../.. Your use of this file is governed by the license terms for the Microsoft Office JavaScript (Office.js) API library: https://github.com/OfficeDev/office-js/blob/release/LICENSE.md.... This file also contains the following Promise implementation (with a few small modifications):.. * @overview es6-promise - a tiny implementation of Promises/A+... * @copyright Copyright (c) 2014 Yehuda Katz, Tom Dale, Stefan Penner and contributors (Conversion to ES6 API by Jake Archibald).. * @license Licensed under MIT license.. * See https://raw.githubusercontent.com/jakearchibald/es6-promise/master/LICENSE.. * @version 2.3.0..*/..var __extends=this&&this.__extends\|\|function(){var a=function(c,b){a=Object.setPrototypeOf\|\|{__proto__:[]}instanceof Array&&function(b,a){b.__proto__=a}\|\|function(c,a){for(var

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NB937L4Q\Progress[1]

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	GIF image data, version 89a, 24 x 24
Category:	dropped
Size (bytes):	644
Entropy (8bit):	5.690497137948888
Encrypted:	false
SSDEEP:	12:Hs5RMsljEstEsVEsl3Est3EshEsZrI3TjYEAxEoOZp+sy+mQn/E:Hi22jEUEME23E+3EoEQIjY7dOZ8kmME
MD5:	F2983BB5EE7EE6482736051893B0C7E6
SHA1:	B9EF21FB58A310E6D8B5A6DC38F7CC85E8659071
SHA-256:	79B48A07E8B202282BD8EC6AB7AAC909EAA359DA349FE822FAC69E1F6E2991EC
SHA-512:	B21D8BF1D699780F2EF6CF5B25EA43393A32D258CCEAEBA1AB5E0E40CCF555C3BA838F4C20AC88AA9348C6C66E9D780D4D01A02CCD6999FEF3C36F64DD5381DE
Malicious:	false
Preview:	GIF89a.......R.B...!..NETSCAPE2.0.....!.......,............`..Q.!.......,............`..Q.!.......,............`..Q.!.......,............`..Q.!.......,............`..Q.!.......,............`..Q.!.......,............`..Q.!.......,.................dp.,.....H.....;..!.......,..........6......dp.,....Q.V.G......Sl7B.9ci......'.Mw4.'....!.......,..........2......dp.,...QP.Td......F.[...v..?y...."......!.......,..........*.....bz2..>w..Q.4..J.........-.....(..!.......,.......... ...x........b.n..".q.Y...^jt.R..!.......,..............x........b.n..".q.Y..R..!.......,..............x........b.nV..!.......,............`..Q.;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NB937L4Q\wefgallery_strings[1]

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	ASCII text, with very long lines (10137), with no line terminators
Category:	dropped
Size (bytes):	10137
Entropy (8bit):	4.993484894207701
Encrypted:	false
SSDEEP:	192:cX6QVyqQMVSJic0WZaAhr7dNTKg0+0x0F0f0q020t0G0L0HzRsm/gjsKdL8FAVg2:6WZ3+gzgmIB/wnEEz72
MD5:	C74BB02F292585B3915182AA95F86327
SHA1:	DAF36C0FFAF21FD31CA10524053BFB31677CFC33
SHA-256:	2CBFA8494775EC17493039E7A50B078CF416B0EAF501046221C0F3370D83A0AA
SHA-512:	EAB3BA9D17A9B6740FB31491657CFEEC4F1AAFEF9818FD0BD3B051D80B12D95C2BD4ECE84E80253B200179190538D4C74CC24D2EE2075F506C573E3D3753DF9C
Malicious:	false
Preview:	Type.registerNamespace("Strings");Strings.wefgallery=function(){};Strings.wefgallery.registerClass("Strings.wefgallery");Strings.wefgallery.L_AccessDeniedError="Access denied to catalog. ";Strings.wefgallery.L_Action_Button_Text="Add";Strings.wefgallery.L_Action_Button_Txt_Tooltip="Add";Strings.wefgallery.L_Action_Button_Txt_Tooltip_Outlook="Start";Strings.wefgallery.L_AddinCommands_ChooseManifest_Txt="Choose your add-in manifest";Strings.wefgallery.L_AddinCommands_DeveloperFeature_Txt="This feature is for developers to test their add-ins.";Strings.wefgallery.L_AddinCommands_LearnMore_Link="Learn more.";Strings.wefgallery.L_AddinCommands_MyAccount_Txt="My Account";Strings.wefgallery.L_AddinCommands_UploadAddin_Txt="Upload Add-in";Strings.wefgallery.L_AddinCommands_UploadMyAddin_Txt="Upload My Add-in";Strings.wefgallery.L_AddinsHasLoadingErrors="One or more add-ins failed to load.";Strings.wefgallery.L_Browse_Button_Txt="Browse...";Strings.wefgallery.L_Cancel_Button_Text="Close";Strings

C:\Users\user\AppData\Local\Temp\9EABC9EF.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	764
Entropy (8bit):	2.71278771083604
Encrypted:	false
SSDEEP:	12:IAMInvpKJHKmr4P7IpJ7SS+iIEKACn2GZn2QYO3QqAvpX5Cwo5WHWn:SInvpKAmr4olDKA8xpiOnAvJ5poIHWn
MD5:	AC38086FFCA4775AE13DCD996C96941E
SHA1:	040B88E66E3D661DA2BD5CD1476E7770642E115A
SHA-256:	5B9DF6F914394674538AE737C6EBF3447CC2B6F28D11448B75A346C295462CB9
SHA-512:	9A18066847E0D2E36F4E692899DC6B87F5CC7CD7F56FE56C6EE319DA6D136CDD0FE505CF5271EB35FA9A3DF665A25E0BD339C51AB3258A7EC66C4739C7510BD4
Malicious:	false
Preview:	1.7.8.8.6.5.8.,.1.1.9.6.3.7.8.,.3.7.4.6.3.7.6.,.2.5.5.0.5.0.8.8.,.1.2.5.,.1.1.9.,.3.0.0.4.9.2.6.8.,.;.3.2.9.4.5.8.7.9.9.,.3.7.4.6.3.7.8.,.3.0.1.5.3.7.2.1.,.6.3.6.4.3.3.4.,.2.3.7.1.6.5.1.,.6.5.4.0.2.1.5.,.2.4.6.0.9.2.5.8.,.1.0.4.9.5.2.3.4.,.4.0.6.9.3.5.8.2.,.6.3.6.4.3.1.8.,.3.0.1.2.3.4.6.6.,.6.3.7.1.6.9.4.,.2.7.1.5.3.4.9.7.,.5.9.2.2.3.4.2.3.,.1.5.6.1.9.5.8.,.5.7.9.9.9.6.6.1.,.5.8.4.2.5.8.6.0.,.2.7.3.6.0.0.9.5.,.6.3.0.6.3.0.9.9.,.6.3.6.4.3.3.7.,.6.3.6.4.3.3.0.,.6.1.7.0.7.3.0.7.,.6.3.6.4.3.3.1.,.6.7.4.8.3.9.6.1.4.,.3.3.7.9.1.6.2.,.1.6.5.7.4.5.3.,.4.7.3.8.2.9.4.8.,.1.6.5.7.4.5.2.,.1.0.6.9.5.5.2.,.5.2.9.1.0.0.0.0.,.1.3.5.2.5.8.6.,.1.7.7.1.6.5.7.,.1.3.5.2.5.8.7.,.1.0.2.3.8.6.4.,.1.0.2.3.6.3.8.,.6.3.7.1.6.9.5.,.4.8.1.9.5.5.3.8.,.1.4.6.1.9.5.3.,.6.3.6.4.3.3.2.,.

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	152056
Entropy (8bit):	4.414609354448307
Encrypted:	false
SSDEEP:	1536:fmmqLzolWWpFpKKHAeedydju4HTbTuo+o5aQxJudUl9yhQL3ow:f8g8WpFpKKHHedydFeo+oQLUlPow
MD5:	B798E55B488583C294B46960AD75733D
SHA1:	C1F67A67A79239B0802BF3B0BE998B03AFAA0FF5
SHA-256:	9E76808FFC0223B907301343ECC555DB5264611173EDFC3B73731A7EC307ECD8
SHA-512:	C824AF111E617AA849CEBF386F24BB5A551E49BB45DE21617FDAA0F8E260A52C907039659A7555E59689938D841ED923AC615A69AECB3B8D7BB81750C2BF72B3
Malicious:	false
Preview:	MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB.......B...........^...............g...............W...............F..............<G...............g...............i...I..............T..................................................................................................

C:\Users\user\AppData\Local\Temp\~DF091FBA1044B213DC.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF88F2325B87F19935.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	687616
Entropy (8bit):	5.120502088819989
Encrypted:	false
SSDEEP:	12288:Z3zXMjWZnvFJUQWPeV1pN11yTLjeLVRULD0H4Lyb:RvnvFiBaN1YTLjeLVRULD0H4Lyb
MD5:	1839182199BC48F8703E5F789C24948A
SHA1:	3DB8465B6126CC75873F4EC6A4D4D7A363BC867D
SHA-256:	3626AE47ACB9E8686CB3B544CE15D03B0F8BFF0CBBF0EE22E25F00AC5E6AC62A
SHA-512:	BAE5F6224D3E86A99305EACC0F5D2AFFF80B3975F7E95F938DF50D695A55CACFD77AD6628E3AE1E52FE34BE5BF11C503A132325D6B3E47DD71A17F0036E8A928
Malicious:	false
Preview:	......................>.......................................................z.......f.......}...~...3...4...5.......................................................................................................................................................................................................................................................................................................................................................................................................................X.......................S...e....................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R.......T...U...V...W...Y...o...Z...[...\...]...^..._...`...a...b...c...d...f...r...g...h...i...j...k...l...m...n...p.......q...s...y...t...u...v...w...x...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NetCDF4Excel\NetCDF4Excel_2007.xlsm.lnk

Download File

Process:	C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Aug 23 17:06:12 2017, mtime=Mon Oct 28 09:02:57 2024, atime=Wed Aug 23 17:06:12 2017, length=299329, window=hide
Category:	dropped
Size (bytes):	1194
Entropy (8bit):	4.616008007502834
Encrypted:	false
SSDEEP:	24:8mCufjE86bdOEvWZGbNNWZcAjD5UdjWZXWZfdjWZJUUNnqygm:8mCKA8+dOy9bHwjWdjsmdj3Lyg
MD5:	F365B17DD8FB6864269150259886A313
SHA1:	64C30799390B210E166B458BF03A307F2FDCA13C
SHA-256:	0118E50EA8AE1C31B1DBF22549B4DA1BE49BC003617A6A4D795FCBCFF5BD4327
SHA-512:	C00D4D7FE4046F961AE03352256C8FA319D52839C16FB4163C596ACD9A15923769DFDCD5C4C9A1D3385C963576A783326245AB9F2A9EB5A5F677FBE8ED8D13D0
Malicious:	false
Preview:	L..................F.... ....B.:...`... )...B.:...A............................P.O. .:i.....+00.../C:\.....................1.....\Y]P..PROGRA~2.........O.I\Y]P....................V.....t.".P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....b.1.....\Y]P..NETCDF~1..J......\Y]P\Y]P....3.....................\|f..N.e.t.C.D.F.4.E.x.c.e.l.....z.2.A....K. .NETCDF~1.XLS..^.......K.\Y]P....o.........................N.e.t.C.D.F.4.E.x.c.e.l._.2.0.0.7...x.l.s.m.......i...............-.......h...........{........C:\Program Files (x86)\NetCDF4Excel\NetCDF4Excel_2007.xlsm..R.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.N.e.t.C.D.F.4.E.x.c.e.l.\.N.e.t.C.D.F.4.E.x.c.e.l._.2.0.0.7...x.l.s.m.#.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.N.e.t.C.D.F.4.E.x.c.e.l.........*................@Z\|...K.J.........`.......X.......648351...........hT..CrF.f4... ....F...../....%..hT..CrF.f4... ....F...../....%.............1SPS.XF

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NetCDF4Excel\Uninstall.lnk

Download File

Process:	C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Oct 28 09:02:57 2024, mtime=Mon Oct 28 09:02:57 2024, atime=Mon Oct 28 09:02:57 2024, length=36743, window=hide
Category:	dropped
Size (bytes):	1159
Entropy (8bit):	4.621597619044172
Encrypted:	false
SSDEEP:	24:8ms/OaffsEPbdOEaWZAdxqMAQ7oidjWZV0djWZJUUNHqygm:8mIOG/PbdO3zxqLQ7Fdjs0dj3zyg
MD5:	86CAE7AE002D5AD166F4E188063AA52F
SHA1:	0DC781A12A7A222587A7C32C7830C60FEF06B3DB
SHA-256:	9DC79D507E855079E033B2F6CCD160D94912840822BFCC1163EA996EC819C355
SHA-512:	87A7B877DE4416F0DA983946157771763980AC071F43CDF8D74B7E21D390090439EC592BBF9EC3F67D02DB40425C495110A226D547F24A27ABC87F9063822727
Malicious:	false
Preview:	L..................F.... ...... )...C.. )...C.. )...............................P.O. .:i.....+00.../C:\.....................1.....\YXP..PROGRA~2.........O.I\YXP....................V.......^.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....b.1.....\Y]P..NETCDF~1..J......\Y]P\Y]P....3.....................t.".N.e.t.C.D.F.4.E.x.c.e.l.....l.2.....\Y]P .UNINST~1.EXE..P......\Y]P\Y]P....p.....................r...u.n.i.n.s.t.a.l.l.e.r...e.x.e.......b...............-.......a...........{........C:\Program Files (x86)\NetCDF4Excel\uninstaller.exe..K.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.N.e.t.C.D.F.4.E.x.c.e.l.\.u.n.i.n.s.t.a.l.l.e.r...e.x.e.#.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.N.e.t.C.D.F.4.E.x.c.e.l.........*................@Z\|...K.J.........`.......X.......648351...........hT..CrF.f4... ....F...../....%..hT..CrF.f4... ....F...../....%.............1SPS.XF.L8C....&.m.q............/...S.-.1.

C:\Users\user\Desktop\NetCDF4Excel_2007.xlsm.lnk

Download File

Process:	C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Aug 23 17:06:12 2017, mtime=Mon Oct 28 09:02:57 2024, atime=Wed Aug 23 17:06:12 2017, length=299329, window=hide
Category:	dropped
Size (bytes):	1158
Entropy (8bit):	4.650596454473784
Encrypted:	false
SSDEEP:	24:8mCufjE86bdOEvWZGbNNWZcAjD4djWZXWZfdjWZJUUNnqygm:8mCKA8+dOy9bHwj0djsmdj3Lyg
MD5:	4D21BDB2A707D2CFBC5A1B9660DD5A20
SHA1:	93A10490FD580525A1FF4CAD56BE6F95E2C1E31F
SHA-256:	E67656F2C4A56E23D9B0775EC6595FB77C8D206666763228C306C71BE2FE46E5
SHA-512:	CB2B2528A5F55D6CBEC7A192593BB57B1766C0A010814D1668DBD5775D897D565F7AB7238D623F99FD9C5874D1DEBD3A5147D7901E5954ABE11041C9A64052FA
Malicious:	false
Preview:	L..................F.... ....B.:...`... )...B.:...A............................P.O. .:i.....+00.../C:\.....................1.....\Y]P..PROGRA~2.........O.I\Y]P....................V.....t.".P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....b.1.....\Y]P..NETCDF~1..J......\Y]P\Y]P....3.....................\|f..N.e.t.C.D.F.4.E.x.c.e.l.....z.2.A....K. .NETCDF~1.XLS..^.......K.\Y]P....o.........................N.e.t.C.D.F.4.E.x.c.e.l._.2.0.0.7...x.l.s.m.......i...............-.......h...........{........C:\Program Files (x86)\NetCDF4Excel\NetCDF4Excel_2007.xlsm..@.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.N.e.t.C.D.F.4.E.x.c.e.l.\.N.e.t.C.D.F.4.E.x.c.e.l._.2.0.0.7...x.l.s.m.#.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.N.e.t.C.D.F.4.E.x.c.e.l.........*................@Z\|...K.J.........`.......X.......648351...........hT..CrF.f4... ....F...../....%..hT..CrF.f4... ....F...../....%.............1SPS.XF.L8C....&.m.q............/...S.-.1.-

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.961687234981633
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NetCDF4Excel_3_3_setup.exe
File size:	466'718 bytes
MD5:	943ea0a62b581f8e132b1fc33e04804d
SHA1:	a28e6d970f44ce8e0fad92d6b86bf1ff5cbe9e75
SHA256:	d7e140540766c60ed61f6ed9e0bb3c09cc3363d35bc6803c062a6e7f61db385a
SHA512:	466e8ed70d43cb653de7003d29858a9284cd05f267efb57743f0bd805af15f12e298a4a3c37bc45f5c5fac9a538e1a9f0bf2b49de6759c9a45ac884ba499e430
SSDEEP:	6144:We34PdN0OJv1Tq5A//V97sOv2H1YfxnLYOv70ZsFD3q9siXBzrId+IQIuM3JDKaA:a3liA//VCOu7g3q9siRg2IuoJDl1mHd
TLSH:	87A4234ECBD18497C65749F02AF6176DF7F4A00670B00A1B8F18AF267879C16BF35A09
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^.........

File Icon


Icon Hash:	3d2e0f95332b3399

Static PE Info

General

Entrypoint:	0x4030fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3CC [Sat Dec 5 22:50:52 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fa974366048f9c551ef45714595665e

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409160h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [0042EC18h], eax
call 00007F76C58C60E6h
mov dword ptr [0042EB64h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 00428F98h
call dword ptr [00407158h]
push 00409154h
push 0042E360h
call 00007F76C58C5D99h
call dword ptr [004070ACh]
mov edi, 00434000h
push eax
push edi
call 00007F76C58C5D87h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00434000h], 00000022h
mov dword ptr [0042EB60h], eax
mov eax, edi
jne 00007F76C58C34FCh
mov byte ptr [esp+14h], 00000022h
mov eax, 00434001h
push dword ptr [esp+14h]
push eax
call 00007F76C58C587Ah
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F76C58C3555h
cmp cl, 00000020h
jne 00007F76C58C34F8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F76C58C34ECh
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74b0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0xa10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c4c	0x5e00	856b32eb77dfd6fb67f21d6543272da5	False	0.6697140957446809	data	6.440105549497952	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x129c	0x1400	dc77f8a1e6985a4361c55642680ddb4f	False	0.43359375	data	5.046835307909969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25c58	0x400	7922d4ce117d7d5b3ac2cffe4b0b5e4f	False	0.5849609375	data	4.801003752715384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2f000	0x8000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x37000	0xa10	0xc00	3ee3444addf655760b01fcfc1d05bc31	False	0.3460286458333333	data	3.018530929308683	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x371c0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.42473118279569894
RT_DIALOG	0x374a8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x375a8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x376c8	0xb6	data	English	United States	0.7307692307692307
RT_DIALOG	0x37780	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x377e0	0x14	data	English	United States	1.2
RT_VERSION	0x377f8	0x218	data	English	United States	0.5242537313432836

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 11:04:12.369116068 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:12.369196892 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:12.369304895 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:12.369739056 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:12.369775057 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.113210917 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.113396883 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.115596056 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.115616083 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.116012096 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.117360115 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.159373045 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.518167973 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.518197060 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.518215895 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.518275023 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.518306971 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.518361092 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.520529032 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.520550013 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.520603895 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.520615101 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.520649910 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.520659924 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.634809017 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.634840012 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.634900093 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.634927034 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.634957075 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.634979963 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.636758089 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.636780977 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.636835098 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.636848927 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.636882067 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.636920929 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.638886929 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.638930082 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.638966084 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.638979912 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.639012098 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.639029980 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.640623093 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.640666008 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.640706062 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.640719891 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.640747070 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.640768051 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.751821041 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.751883984 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.751943111 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.751970053 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.752021074 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.752060890 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.753029108 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.753070116 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.753118992 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.753132105 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.753163099 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.753181934 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.753892899 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.753937006 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.753983021 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.753995895 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.754048109 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.754070997 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.755079985 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.755120039 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.755160093 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.755172014 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.755202055 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.755225897 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.756048918 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.756091118 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.756135941 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.756149054 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.756175995 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.756206989 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.757103920 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.757145882 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.757205009 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.757217884 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.757251978 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.757272959 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.757896900 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.757939100 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.757980108 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.757992983 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.758021116 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.758047104 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.868876934 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.868944883 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.869103909 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.869123936 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.869124889 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.869154930 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.869184017 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.869188070 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.869223118 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.869443893 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.869484901 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.869525909 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.869551897 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.869585037 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.869729042 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.869776011 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.869806051 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.869822025 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.869863033 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.870001078 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.870042086 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.870084047 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.870105028 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.870126963 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.876254082 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.876323938 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.876338005 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.876352072 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.876400948 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.876596928 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.876636982 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.876683950 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.876698017 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.876728058 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.876884937 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.876935005 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.876980066 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.876992941 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.877027035 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.877140045 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.877190113 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.877228975 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.877242088 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.877274036 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.877542019 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.877592087 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.877623081 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.877636909 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.877688885 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.877778053 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.877836943 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.877876043 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.877888918 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.877918959 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.877999067 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.878046989 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.878072977 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.878087044 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.878128052 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.878369093 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.878464937 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.878506899 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.878520966 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.878545046 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.878604889 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.878654957 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.878674030 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.878699064 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.878746033 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.933207035 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.985032082 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.985093117 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.985145092 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.985166073 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.985193014 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.985219002 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.985395908 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.985440969 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.985479116 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.985491991 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.985518932 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.985542059 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.985930920 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.985985041 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.986030102 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.986044884 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.986072063 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.986095905 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.986251116 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.986290932 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.986331940 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.986345053 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.986371994 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.986421108 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.986630917 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.986675978 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.986736059 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.986736059 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.986752033 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.986805916 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.987076044 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.987147093 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.987164974 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.987179995 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.987245083 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.987245083 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.987562895 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.987611055 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.987654924 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.987667084 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.987693071 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.987723112 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.987956047 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.987998009 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.988043070 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.988055944 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.988084078 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.988107920 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.988290071 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.988337040 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.988368034 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.988379955 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.988404989 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.988430023 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.988626957 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.988683939 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.988718987 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.988732100 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.988758087 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.988791943 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.989043951 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.989088058 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.989125967 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.989139080 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.989165068 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.989188910 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.989362001 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.989411116 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.989442110 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.989454031 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.989490032 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.989509106 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.989686966 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.989731073 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.989762068 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.989774942 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.989804983 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.989844084 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.990036964 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.990087032 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.990123034 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.990135908 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.990161896 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.990196943 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.990272045 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.990319014 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.990369081 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.990386963 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.990412951 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.990438938 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.990494967 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.990537882 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.990566969 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.990581036 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.990606070 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.990622997 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.990703106 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.990742922 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.990782022 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.990794897 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.990823030 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.990847111 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.990937948 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.990988016 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.991034031 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.991045952 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.991070032 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.991106033 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.991151094 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.991190910 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.991229057 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.991240978 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.991265059 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.991293907 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.991374969 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.991416931 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.991451025 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.991463900 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.991491079 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.991524935 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.991586924 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.991635084 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.991676092 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.991688967 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.991714954 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.991744041 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.991800070 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.991841078 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.991877079 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.991889954 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.991919994 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.991955996 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.992010117 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.992049932 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.992088079 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.992100000 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.992127895 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.992156029 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.992208958 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.992254019 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.992295027 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.992306948 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.992332935 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.992367029 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.992387056 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.992440939 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.992477894 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.992490053 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.992516041 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.992546082 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.998186111 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.998233080 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.998270035 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.998282909 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.998311043 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.998347044 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.998501062 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.998553991 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.998598099 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.998610020 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.998635054 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.998657942 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.998672962 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.998714924 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.998738050 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.998764992 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:13.998795033 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:13.998826027 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.102057934 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.102161884 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.102181911 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.102261066 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.102349043 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.102400064 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.102425098 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.102433920 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.102463007 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.102488995 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.102541924 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.102582932 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.102610111 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.102617979 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.102650881 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.102664948 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.102722883 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.102770090 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.102794886 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.102802038 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.102830887 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.102854013 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.102989912 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.103039026 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.103055000 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.103063107 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.103111982 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.103382111 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.103430033 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.103461981 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.103470087 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.103483915 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.103513956 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.103743076 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.103782892 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.103816986 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.103823900 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.103849888 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.103868961 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.104100943 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.104144096 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.104178905 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.104186058 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.104213953 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.104237080 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.104429007 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.104480982 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.104516029 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.104522943 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.104552031 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.104578972 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.104671001 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.104712963 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.104743958 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.104751110 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.104774952 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.104804039 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.104923964 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.104965925 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.105001926 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.105009079 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.105036974 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.105061054 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.105190992 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.105247974 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.105283976 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.105290890 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.105320930 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.105339050 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.105442047 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.105493069 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.105520010 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.105528116 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.105556011 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.105653048 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.105691910 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.105721951 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.105736971 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.105736971 CET	49729	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:14.105748892 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:14.105757952 CET	443	49729	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:16.853142977 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:16.853209972 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:16.853316069 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:16.854505062 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:16.854530096 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:17.587327957 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:17.587434053 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:17.589183092 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:17.589215994 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:17.589432955 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:17.630243063 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:17.657675028 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:17.699369907 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:17.916254997 CET	49732	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:17.916357040 CET	443	49732	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:17.916512012 CET	49732	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:17.916714907 CET	49732	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:17.916747093 CET	443	49732	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.349119902 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.349148989 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.349159002 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.349200010 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.349239111 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.349255085 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.349287033 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.349308014 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.349308968 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.349328041 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.351002932 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.351026058 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.351080894 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.351092100 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.351106882 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.352832079 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.466542959 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.466574907 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.466672897 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.466749907 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.466909885 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.467427969 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.467449903 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.467514038 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.467535973 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.467572927 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.467633963 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.469191074 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.469217062 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.469284058 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.469300032 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.469372034 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.470916986 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.470943928 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.470999002 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.471014023 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.471110106 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.471143961 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.584220886 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.584248066 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.584300995 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.584316015 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.584342957 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.584371090 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.584789991 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.584810019 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.584855080 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.584863901 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.584897041 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.584918022 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.585753918 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.585772991 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.585813046 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.585828066 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.585845947 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.585865974 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.588711977 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.588732004 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.588788033 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.588798046 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.588824987 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.588845968 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.589905977 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.589950085 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.589972019 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.589977980 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.590007067 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.590044022 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.591144085 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.591171980 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.591217995 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.591226101 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.591240883 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.591264963 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.656281948 CET	443	49732	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.656851053 CET	49732	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.656894922 CET	443	49732	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.657746077 CET	49732	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.657752991 CET	443	49732	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.700638056 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.700666904 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.700742006 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.700752974 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.700766087 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.700908899 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.700938940 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.700980902 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.700989008 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.701014996 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.701045990 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.701421976 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.701457024 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.701491117 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.701498032 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.701510906 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.701534033 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.701773882 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.701792955 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.701834917 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.701843023 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.701885939 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.701885939 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.702200890 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.702220917 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.702270985 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.702279091 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.702322006 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.702754974 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.702778101 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.702819109 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.702826023 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.702857018 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.702868938 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.703167915 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.703190088 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.703263998 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.703265905 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.703279018 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.703309059 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.703342915 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.703351974 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.703404903 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.703891993 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.703911066 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.703938007 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.703948975 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.703960896 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.703979969 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.704009056 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.704453945 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.704521894 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.704524040 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.704535961 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.704588890 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.704691887 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.704718113 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.704750061 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.704756975 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.704768896 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.704801083 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.705321074 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.705342054 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.705384970 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.705391884 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.705423117 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.705431938 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.705712080 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.705733061 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.705773115 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.705780029 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.705801964 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.705816031 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.706451893 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.706473112 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.706517935 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.706526041 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.706551075 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.706562996 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.796947002 CET	443	49732	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.796972036 CET	443	49732	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.797036886 CET	443	49732	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.797077894 CET	49732	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.797118902 CET	49732	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.797318935 CET	49732	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.797348022 CET	443	49732	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.797362089 CET	49732	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.797369003 CET	443	49732	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.817883968 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.817926884 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.817986965 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.817997932 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.818061113 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.818105936 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.818105936 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.818159103 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.818413973 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.818434000 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.818483114 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.818504095 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.818531990 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.818619013 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.818650961 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.818687916 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.818701029 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.818730116 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.818802118 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.818835020 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.818867922 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.818881989 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.818908930 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.818977118 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.818998098 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.819067001 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.819082022 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.819231033 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.819248915 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.819298983 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.819331884 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.819360971 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.819417000 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.819439888 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.819487095 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.819506884 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.819530964 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.819600105 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.819618940 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.819665909 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.819679022 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.819704056 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.819768906 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.819791079 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.819843054 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.819861889 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.819886923 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.819998026 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.820017099 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.820065022 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.820079088 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.820099115 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.820102930 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.820126057 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.820157051 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.820169926 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.820195913 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.820580959 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.820600033 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.820689917 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.820704937 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.820730925 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.820753098 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.820787907 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.820801020 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.820826054 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.820931911 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.820950985 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.821012974 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.821013927 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.821028948 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.821058035 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.821079969 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.821114063 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.821129084 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.821156979 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.821288109 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.821305037 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.821342945 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.821361065 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.821379900 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.821383953 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.821409941 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.821435928 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.821449995 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.821474075 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.822261095 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.822278976 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.822331905 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.822362900 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.822374105 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.822376966 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.822417974 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.822424889 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.822446108 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.822457075 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.822482109 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.822494984 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.822501898 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.822515011 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.822545052 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.822575092 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.822586060 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.822597980 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.822632074 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.822649956 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.822669029 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.822674036 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.822690964 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.822700977 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.822727919 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.822752953 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.825380087 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.825398922 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.825454950 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.825475931 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.825499058 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.825511932 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.825548887 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.825583935 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.825598955 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.825623989 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.825628996 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.825647116 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.825670004 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.825685024 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.825689077 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.825706005 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.825716972 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.825742960 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.825759888 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.825784922 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.825810909 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.825846910 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.825859070 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.825886965 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.826997042 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.863658905 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.863682985 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.863768101 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.863790035 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.863852978 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.935213089 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.935244083 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.935368061 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.935380936 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.935421944 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.935477018 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.935477018 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.935484886 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.935502052 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.935539961 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.935564041 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.935600042 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.935619116 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.935667038 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.935688019 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.935712099 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.935719013 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.935745955 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.935796022 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.935816050 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.935838938 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.935848951 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.935870886 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.935911894 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.935926914 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.935980082 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.935980082 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936006069 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936049938 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936064005 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936098099 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936136961 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936157942 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936168909 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936182022 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936214924 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936214924 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936237097 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936415911 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936439037 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936455011 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936470032 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936506987 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936506987 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936528921 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936588049 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936608076 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936646938 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936660051 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936686993 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936700106 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936724901 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936765909 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936784029 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936806917 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936836958 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936886072 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936898947 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936913013 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.936954021 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.936976910 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.937072039 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.937098026 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.937138081 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.937155962 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.937175989 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.937179089 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.937235117 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.937246084 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.937258005 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.937305927 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.937310934 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.937330961 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.937360048 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.937377930 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.937401056 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.937401056 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.937407970 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.937448978 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.937460899 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.937485933 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.937500000 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.944062948 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.954993010 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.978427887 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.982620001 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.982666016 CET	443	49731	13.107.246.60	192.168.2.17
Oct 28, 2024 11:04:18.982697010 CET	49731	443	192.168.2.17	13.107.246.60
Oct 28, 2024 11:04:18.982714891 CET	443	49731	13.107.246.60	192.168.2.17

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 11:03:11.861825943 CET	1.1.1.1	192.168.2.17	0xc056	No error (0)	templatesmetadata.office.net	templatesmetadata.office.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 11:04:12.368130922 CET	1.1.1.1	192.168.2.17	0x6bc7	No error (0)	shed.dual-low.s-part-0032.t-0009.t-msedge.net	s-part-0032.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 11:04:12.368130922 CET	1.1.1.1	192.168.2.17	0x6bc7	No error (0)	s-part-0032.t-0009.t-msedge.net		13.107.246.60	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

otelrules.azureedge.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.17	49729	13.107.246.60	443	3752	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-28 10:04:13 UTC	219	OUT	GET /rules/excel.exe-Production-v19.bundle HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-10-28 10:04:13 UTC	569	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 10:04:13 GMT Content-Type: text/plain Content-Length: 1112556 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: public Last-Modified: Sun, 27 Oct 2024 10:35:44 GMT ETag: "0x8DCF6731CE408D3" x-ms-request-id: a808c8f2-d01e-0082-7208-29e489000000 x-ms-version: 2018-03-28 x-azure-ref: 20241028T100413Z-r197bdfb6b466qclztvgs64z1000000006b0000000005me1 x-fd-int-roxy-purgeid: 0 X-Cache-Info: L2_T2 X-Cache: TCP_REMOTE_HIT Accept-Ranges: bytes
2024-10-28 10:04:13 UTC	15815	IN	Data Raw: 31 30 30 30 34 32 76 32 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 30 34 32 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 55 58 2e 44 65 73 6b 74 6f 70 2e 4f 66 66 69 63 65 54 68 65 6d 65 2e 41 70 70 2e 49 6e 69 74 22 20 41 54 54 3d 22 63 34 33 38 38 63 39 37 37 32 39 37 34 31 33 62 62 30 35 34 62 61 64 31 61 63 66 30 61 64 65 31 2d 63 63 35 38 65 35 33 65 2d 66 35 61 34 2d 34 66 33 37 2d 62 30 64 32 2d 39 61 38 30 37 39 65 33 34 34 32 30 2d 36 38 37 39 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 63 6d 39 79 35 Data Ascii: 100042v2+<?xml version="1.0" encoding="utf-8"?><R Id="100042" V="2" DC="SM" EN="Office.UX.Desktop.OfficeTheme.App.Init" ATT="c4388c977297413bb054bad1acf0ade1-cc58e53e-f5a4-4f37-b0d2-9a8079e34420-6879" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="cm9y5
2024-10-28 10:04:13 UTC	16384	IN	Data Raw: 22 33 22 20 4f 3d 22 66 61 6c 73 65 22 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 41 75 74 68 6f 72 43 6f 75 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 54 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 31 22 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e 0d 0a 3c 24 21 23 3e 31 30 30 31 31 37 76 30 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 31 31 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 38 79 6c 6c 66 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d Data Ascii: "3" O="false"> <S T="1" F="AuthorCount" /> </C> <T> <S T="1" /> </T></R><$!#>100117v0+<?xml version="1.0" encoding="utf-8"?><R Id="100117" V="0" DC="SM" T="Subrule" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="8yllf" /> </S>
2024-10-28 10:04:13 UTC	16384	IN	Data Raw: 50 6f 73 69 74 69 6f 6e 46 69 76 65 50 6c 75 73 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 41 20 54 3d 22 53 55 4d 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 41 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 54 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 33 22 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e 0d 0a 3c 24 21 23 3e 31 30 37 38 31 76 31 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 37 38 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 Data Ascii: PositionFivePlusCount"> <A T="SUM"> <S T="1" F="11" /> </A> </C> <T> <S T="2" /> <S T="3" /> </T></R><$!#>10781v1+<?xml version="1.0" encoding="utf-8"?><R Id="10781" V="1" DC="SM" T="Subrule" xmlns=""> <S>
2024-10-28 10:04:13 UTC	16384	IN	Data Raw: 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 36 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 41 4e 44 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 31 30 30 30 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 Data Ascii: </O> </R> </O> </F> <F T="6"> <O T="AND"> <L> <O T="GT"> <L> <S T="1" F="0" /> </L> <R> <V V="1000" T="U32" /> </R>
2024-10-28 10:04:13 UTC	16384	IN	Data Raw: 3d 22 46 6c 79 6f 75 74 56 69 64 65 6f 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 32 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 32 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 56 69 64 65 6f 43 61 6c 6c 56 69 64 65 6f 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 32 36 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 33 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 53 61 53 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 32 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 Data Ascii: ="FlyoutVideo"> <C> <S T="25" /> </C> </C> <C T="U32" I="22" O="false" N="FlyoutVideoCallVideo"> <C> <S T="26" /> </C> </C> <C T="U32" I="23" O="false" N="FlyoutSaS"> <C> <S T="27" /> </C>
2024-10-28 10:04:13 UTC	16384	IN	Data Raw: 3e 0d 0a 20 20 3c 54 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 31 22 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e 0d 0a 3c 24 21 23 3e 31 30 39 30 37 76 30 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 39 30 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 4f 75 74 6c 6f 6f 6b 2e 44 65 73 6b 74 6f 70 2e 4e 44 42 2e 55 6e 6b 6e 6f 77 6e 2e 43 6f 72 72 75 70 74 69 6f 6e 22 20 41 54 54 3d 22 64 38 30 37 36 30 39 32 37 36 37 34 34 32 34 35 62 61 66 38 31 62 66 37 62 63 38 30 33 33 66 36 2d 32 32 36 38 65 33 37 34 2d 37 37 36 36 2d 34 39 37 36 2d 62 65 34 34 2d 62 36 61 64 35 62 64 64 63 35 62 36 2d 37 38 31 33 22 20 53 Data Ascii: > <T> <S T="1" /> </T></R><$!#>10907v0+<?xml version="1.0" encoding="utf-8"?><R Id="10907" V="0" DC="SM" EN="Office.Outlook.Desktop.NDB.Unknown.Corruption" ATT="d807609276744245baf81bf7bc8033f6-2268e374-7766-4976-be44-b6ad5bddc5b6-7813" S
2024-10-28 10:04:13 UTC	16384	IN	Data Raw: 38 31 33 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 54 49 20 54 3d 22 31 22 20 49 3d 22 44 61 69 6c 79 22 20 2f 3e 0d 0a 20 20 20 20 3c 41 20 54 3d 22 32 22 20 45 3d 22 54 65 6c 65 6d 65 74 72 79 53 68 75 74 64 6f 77 6e 22 20 2f 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 33 22 20 49 64 3d 22 62 70 66 79 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 34 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 50 68 6f 74 6f 53 69 7a 65 49 6e 42 79 74 65 73 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 Data Ascii: 813" DCa="PSU" xmlns=""> <S> <TI T="1" I="Daily" /> <A T="2" E="TelemetryShutdown" /> <UTS T="3" Id="bpfy1" /> <F T="4"> <O T="GT"> <L> <S T="3" F="PhotoSizeInBytes" /> </L> <R>
2024-10-28 10:04:13 UTC	16384	IN	Data Raw: 22 20 2f 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 35 22 20 49 64 3d 22 62 75 6b 30 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 36 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 34 22 20 46 3d 22 65 76 65 6e 74 49 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 31 33 35 22 20 54 3d 22 49 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 37 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c Data Ascii: " /> <UTS T="5" Id="buk0m" /> <F T="6"> <O T="EQ"> <L> <S T="4" F="eventId" /> </L> <R> <V V="135" T="I32" /> </R> </O> </F> <F T="7"> <O T="EQ"> <
2024-10-28 10:04:13 UTC	16384	IN	Data Raw: 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 34 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 31 30 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 46 69 6c 65 50 72 6f 74 65 63 74 69 6f 6e 53 74 61 74 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 35 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d Data Ascii: <R> <V V="4" T="U32" /> </R> </O> </F> <F T="10"> <O T="EQ"> <L> <S T="3" F="FileProtectionState" /> </L> <R> <V V="5" T="U32" /> </R> </O>
2024-10-28 10:04:13 UTC	16384	IN	Data Raw: 44 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 35 22 20 46 3d 22 72 65 73 75 6c 74 73 5f 49 73 4e 75 6c 6c 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 66 61 6c 73 65 22 20 54 3d 22 42 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 Data Ascii: D"> <L> <O T="EQ"> <L> <S T="5" F="results_IsNull" /> </L> <R> <V V="false" T="B" /> </R> </O>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.17	49731	13.107.246.60	443	2924	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-28 10:04:17 UTC	219	OUT	GET /rules/excel.exe-Production-v19.bundle HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-10-28 10:04:18 UTC	542	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 10:04:18 GMT Content-Type: text/plain Content-Length: 1112556 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: public Last-Modified: Sun, 27 Oct 2024 10:35:44 GMT ETag: "0x8DCF6731CE408D3" x-ms-request-id: 88b47594-d01e-0049-0520-29e7dc000000 x-ms-version: 2018-03-28 x-azure-ref: 20241028T100417Z-16849878b78wc6ln1zsrz6q9w800000004g000000000997m x-fd-int-roxy-purgeid: 0 X-Cache: TCP_MISS Accept-Ranges: bytes
2024-10-28 10:04:18 UTC	15842	IN	Data Raw: 31 30 30 30 34 32 76 32 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 30 34 32 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 55 58 2e 44 65 73 6b 74 6f 70 2e 4f 66 66 69 63 65 54 68 65 6d 65 2e 41 70 70 2e 49 6e 69 74 22 20 41 54 54 3d 22 63 34 33 38 38 63 39 37 37 32 39 37 34 31 33 62 62 30 35 34 62 61 64 31 61 63 66 30 61 64 65 31 2d 63 63 35 38 65 35 33 65 2d 66 35 61 34 2d 34 66 33 37 2d 62 30 64 32 2d 39 61 38 30 37 39 65 33 34 34 32 30 2d 36 38 37 39 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 63 6d 39 79 35 Data Ascii: 100042v2+<?xml version="1.0" encoding="utf-8"?><R Id="100042" V="2" DC="SM" EN="Office.UX.Desktop.OfficeTheme.App.Init" ATT="c4388c977297413bb054bad1acf0ade1-cc58e53e-f5a4-4f37-b0d2-9a8079e34420-6879" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="cm9y5
2024-10-28 10:04:18 UTC	16384	IN	Data Raw: 22 20 46 3d 22 41 75 74 68 6f 72 43 6f 75 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 54 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 31 22 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e 0d 0a 3c 24 21 23 3e 31 30 30 31 31 37 76 30 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 31 31 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 38 79 6c 6c 66 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 22 Data Ascii: " F="AuthorCount" /> </C> <T> <S T="1" /> </T></R><$!#>100117v0+<?xml version="1.0" encoding="utf-8"?><R Id="100117" V="0" DC="SM" T="Subrule" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="8yllf" /> </S> <C T="W" I="0" O="false"
2024-10-28 10:04:18 UTC	16384	IN	Data Raw: 20 20 3c 41 20 54 3d 22 53 55 4d 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 41 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 54 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 33 22 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e 0d 0a 3c 24 21 23 3e 31 30 37 38 31 76 31 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 37 38 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 67 6f 34 74 22 20 2f 3e 0d 0a Data Ascii: <A T="SUM"> <S T="1" F="11" /> </A> </C> <T> <S T="2" /> <S T="3" /> </T></R><$!#>10781v1+<?xml version="1.0" encoding="utf-8"?><R Id="10781" V="1" DC="SM" T="Subrule" xmlns=""> <S> <UTS T="1" Id="bgo4t" />
2024-10-28 10:04:18 UTC	16384	IN	Data Raw: 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 36 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 41 4e 44 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 31 30 30 30 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d Data Ascii: </O> </F> <F T="6"> <O T="AND"> <L> <O T="GT"> <L> <S T="1" F="0" /> </L> <R> <V V="1000" T="U32" /> </R> </O> </L>
2024-10-28 10:04:18 UTC	16384	IN	Data Raw: 20 20 20 20 20 3c 53 20 54 3d 22 32 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 32 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 56 69 64 65 6f 43 61 6c 6c 56 69 64 65 6f 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 32 36 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 33 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 53 61 53 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 32 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 34 22 20 4f Data Ascii: <S T="25" /> </C> </C> <C T="U32" I="22" O="false" N="FlyoutVideoCallVideo"> <C> <S T="26" /> </C> </C> <C T="U32" I="23" O="false" N="FlyoutSaS"> <C> <S T="27" /> </C> </C> <C T="U32" I="24" O
2024-10-28 10:04:18 UTC	16384	IN	Data Raw: 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e 0d 0a 3c 24 21 23 3e 31 30 39 30 37 76 30 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 39 30 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 4f 75 74 6c 6f 6f 6b 2e 44 65 73 6b 74 6f 70 2e 4e 44 42 2e 55 6e 6b 6e 6f 77 6e 2e 43 6f 72 72 75 70 74 69 6f 6e 22 20 41 54 54 3d 22 64 38 30 37 36 30 39 32 37 36 37 34 34 32 34 35 62 61 66 38 31 62 66 37 62 63 38 30 33 33 66 36 2d 32 32 36 38 65 33 37 34 2d 37 37 36 36 2d 34 39 37 36 2d 62 65 34 34 2d 62 36 61 64 35 62 64 64 63 35 62 36 2d 37 38 31 33 22 20 53 3d 22 31 30 30 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d Data Ascii: </T></R><$!#>10907v0+<?xml version="1.0" encoding="utf-8"?><R Id="10907" V="0" DC="SM" EN="Office.Outlook.Desktop.NDB.Unknown.Corruption" ATT="d807609276744245baf81bf7bc8033f6-2268e374-7766-4976-be44-b6ad5bddc5b6-7813" S="100" DCa="PSU" xmlns="">
2024-10-28 10:04:18 UTC	16384	IN	Data Raw: 20 3c 53 3e 0d 0a 20 20 20 20 3c 54 49 20 54 3d 22 31 22 20 49 3d 22 44 61 69 6c 79 22 20 2f 3e 0d 0a 20 20 20 20 3c 41 20 54 3d 22 32 22 20 45 3d 22 54 65 6c 65 6d 65 74 72 79 53 68 75 74 64 6f 77 6e 22 20 2f 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 33 22 20 49 64 3d 22 62 70 66 79 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 34 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 50 68 6f 74 6f 53 69 7a 65 49 6e 42 79 74 65 73 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 30 22 20 54 3d 22 55 36 34 22 20 2f 3e 0d 0a 20 20 20 20 Data Ascii: <S> <TI T="1" I="Daily" /> <A T="2" E="TelemetryShutdown" /> <UTS T="3" Id="bpfy1" /> <F T="4"> <O T="GT"> <L> <S T="3" F="PhotoSizeInBytes" /> </L> <R> <V V="0" T="U64" />
2024-10-28 10:04:18 UTC	16384	IN	Data Raw: 6b 30 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 36 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 34 22 20 46 3d 22 65 76 65 6e 74 49 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 31 33 35 22 20 54 3d 22 49 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 37 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 35 22 20 46 3d 22 74 Data Ascii: k0m" /> <F T="6"> <O T="EQ"> <L> <S T="4" F="eventId" /> </L> <R> <V V="135" T="I32" /> </R> </O> </F> <F T="7"> <O T="EQ"> <L> <S T="5" F="t
2024-10-28 10:04:18 UTC	16384	IN	Data Raw: 34 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 31 30 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 46 69 6c 65 50 72 6f 74 65 63 74 69 6f 6e 53 74 61 74 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 35 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 Data Ascii: 4" T="U32" /> </R> </O> </F> <F T="10"> <O T="EQ"> <L> <S T="3" F="FileProtectionState" /> </L> <R> <V V="5" T="U32" /> </R> </O> </F> </S> <C T="
2024-10-28 10:04:18 UTC	16384	IN	Data Raw: 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 35 22 20 46 3d 22 72 65 73 75 6c 74 73 5f 49 73 4e 75 6c 6c 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 66 61 6c 73 65 22 20 54 3d 22 42 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 Data Ascii: <O T="EQ"> <L> <S T="5" F="results_IsNull" /> </L> <R> <V V="false" T="B" /> </R> </O> </L> <R>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.17	49732	13.107.246.60	443	3752	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-28 10:04:18 UTC	207	OUT	GET /rules/rule120603v8s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.azureedge.net
2024-10-28 10:04:18 UTC	584	IN	HTTP/1.1 200 OK Date: Mon, 28 Oct 2024 10:04:18 GMT Content-Type: text/xml Content-Length: 2128 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:04 GMT ETag: "0x8DC582BA41F3C62" x-ms-request-id: 84a1d713-001e-00a2-4ba7-26d4d5000000 x-ms-version: 2018-03-28 x-azure-ref: 20241028T100418Z-15b8d89586fvpb597drk06r8fc0000000600000000001s0f x-fd-int-roxy-purgeid: 0 X-Cache-Info: L1_T2 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-10-28 10:04:18 UTC	2128	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 33 22 20 56 3d 22 38 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 4d 65 74 61 64 61 74 61 41 70 70 6c 69 63 61 74 69 6f 6e 41 64 64 69 74 69 6f 6e 61 6c 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 45 3d 22 66 61 6c 73 65 22 20 44 4c 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120603" V="8" DC="SM" EN="Office.System.SystemHealthMetadataApplicationAdditional" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalBusinessImpact" E="false" DL=

Target ID:	0
Start time:	06:02:51
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NetCDF4Excel_3_3_setup.exe"
Imagebase:	0x400000
File size:	466'718 bytes
MD5 hash:	943EA0A62B581F8E132B1FC33E04804D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:03:04
Start date:	28/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE"
Imagebase:	0x8c0000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	06:04:07
Start date:	28/10/2024
Path:	C:\Windows\splwow64.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\splwow64.exe 8192
Imagebase:	0x7ff631080000
File size:	163'840 bytes
MD5 hash:	77DE7761B037061C7C112FD3C5B91E73
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	06:04:14
Start date:	28/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Program Files (x86)\NetCDF4Excel\NetCDF4Excel_2007.xlsm"
Imagebase:	0x8c0000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NetCDF4Excel_3_3_setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\NetCDF4Excel\NetCDF4Excel_2007.xlsm

C:\Program Files (x86)\NetCDF4Excel\VbNc.dll

C:\Program Files (x86)\NetCDF4Excel\uninstaller.exe

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\R6H1M60R\osfintl[1].xml

C:\Users\user\AppData\Local\Microsoft\Office\Features\1-7FeatureCache.txt (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1AC88B16.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\5IQBCSP1\WefGalleryExcel[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\5IQBCSP1\office[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\96LGQ1XY\BusinessBarClose_16x16x32[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\96LGQ1XY\WefGallery[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GO30WR0E\WefGalleryExcelInsert[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GO30WR0E\WefGallery[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NB937L4Q\Progress[1]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NB937L4Q\wefgallery_strings[1]

C:\Users\user\AppData\Local\Temp\9EABC9EF.tmp

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd

C:\Users\user\AppData\Local\Temp\~DF091FBA1044B213DC.TMP

C:\Users\user\AppData\Local\Temp\~DF88F2325B87F19935.TMP

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NetCDF4Excel\NetCDF4Excel_2007.xlsm.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NetCDF4Excel\Uninstall.lnk

C:\Users\user\Desktop\NetCDF4Excel_2007.xlsm.lnk

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
NetCDF4Excel_3_3_setup.exe