Windows Analysis Report http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201

Overview

General Information

Sample URL: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201
Analysis ID: 528463
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Yara detected hidden Macro 4.0 in Excel
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Creates a process in suspended mode (likely to inject code)

Classification

Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.3:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.53.42.241:443 -> 192.168.2.3:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.4.29.152:443 -> 192.168.2.3:49783 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4x nop then jmp 04EB09B7h 6_2_04EB02A8
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4x nop then jmp 04EB09B6h 6_2_04EB02A8
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveX-Powered-By: PHP/7.1.33Set-Cookie: PHPSESSID=f287e90eb7e9bd7e2607d5e6083193ef; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Type: text/html; charset=UTF-8Content-Length: 175Content-Encoding: gzipVary: Accept-EncodingDate: Thu, 25 Nov 2021 09:45:35 GMTServer: LiteSpeedX-Content-Type-Options: nosniffData Raw: 1f 8b 08 00 00 00 00 00 00 03 2d 8e bd 0e 82 30 14 46 5f a5 e9 52 18 68 11 a3 0e 96 26 9a 38 f8 04 ce a5 6d e4 06 fa 93 72 21 c1 a7 37 a0 db c9 37 9c ef c8 1e fd a8 64 17 ed aa a4 85 85 80 6d 69 18 28 b1 58 85 a1 a5 42 4f c9 65 88 d9 4d ba 13 26 06 74 3e c5 ac f3 5a 35 c7 73 dd 9c 2e f5 81 7f 20 51 25 85 85 45 c9 c9 64 48 a8 c6 68 34 42 0c 3c 69 ec 83 f6 8e b4 c4 46 33 7b 17 90 bf 1d 3e 46 b7 e1 7d 7d da 82 85 81 95 db 78 43 cc d0 cd e8 0a b6 df b3 f2 2a c5 5f 28 c5 af 51 ec c1 2f 0d c8 39 ff 02 5f 89 0e 45 be 00 00 00 Data Ascii: -0F_Rh&8mr!77dmi(XBOeM&t>Z5s. Q%EdHh4B<iF3{>F}}xC*_(Q/9_E
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: angular.js.1.dr String found in binary or memory: http://angularjs.org
Source: angular.js.1.dr String found in binary or memory: http://errors.angularjs.org/1.6.4-local
Source: pnacl_public_x86_64_pnacl_sz_nexe.1.dr, pnacl_public_x86_64_pnacl_llc_nexe.1.dr String found in binary or memory: http://llvm.org/):
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://tools.ietf.org/html/rfc1950
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: data_1.4.dr, 000003.log2.1.dr, rerumvel-6647201.zip_Zone.Identifier.5.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/contemporary-236025701.zip
Source: History.1.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/contemporary-236025701.zipK
Source: data_1.4.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/contemporary-236025701.zipL
Source: Current Session.1.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201
Source: History.1.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201/07
Source: History Provider Cache.1.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-66472012
Source: History Provider Cache.1.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-66472012:
Source: Current Session.1.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-66472018
Source: History.1.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201http://www.artforlife.lozhkin.
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: manifest.json0.1.dr, 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://accounts.google.com
Source: craw_window.js.1.dr String found in binary or memory: https://accounts.google.com/MergeSession
Source: manifest.json0.1.dr, 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://apis.google.com
Source: mirroring_common.js.1.dr String found in binary or memory: https://apis.google.com/js/client.js
Source: mirroring_common.js.1.dr String found in binary or memory: https://castedumessaging-pa.googleapis.com/v1
Source: pnacl_public_x86_64_libcrt_platform_a.1.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
Source: pnacl_public_x86_64_libcrt_platform_a.1.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://clients2.google.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://clients2.google.com/cr/report
Source: manifest.json0.1.dr, manifest.json.1.dr, manifest.json1.1.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://clients6.google.com
Source: pnacl_public_x86_64_ld_nexe.1.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
Source: pnacl_public_x86_64_ld_nexe.1.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
Source: manifest.json0.1.dr String found in binary or memory: https://content.googleapis.com
Source: common.js.1.dr, mirroring_cast_streaming.js.1.dr String found in binary or memory: https://crash.corp.google.com/samples?reportid=&q=
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
Source: d07f6d12-c956-435a-889c-062e1247057e.tmp.4.dr, 602605cd-a010-447a-97a4-267db34edb97.tmp.4.dr, 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://dns.google
Source: mirroring_common.js.1.dr String found in binary or memory: https://docs.google.com
Source: manifest.json0.1.dr String found in binary or memory: https://feedback.googleusercontent.com
Source: eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://fonts.googleapis.com
Source: manifest.json0.1.dr String found in binary or memory: https://fonts.googleapis.com;
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://fonts.gstatic.com
Source: manifest.json0.1.dr String found in binary or memory: https://fonts.gstatic.com;
Source: angular.js.1.dr, material_css_min.css.1.dr String found in binary or memory: https://github.com/angular/material
Source: craw_background.js.1.dr, craw_window.js.1.dr String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://hangouts.clients6.google.com
Source: manifest.json0.1.dr String found in binary or memory: https://hangouts.google.com/
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
Source: mirroring_common.js.1.dr String found in binary or memory: https://meet.google.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://meetings.clients6.google.com
Source: mirroring_common.js.1.dr String found in binary or memory: https://networktraversal.googleapis.com/v1alpha
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://ogs.google.com
Source: manifest.json.1.dr, craw_window.js.1.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://play.google.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://preprod-hangouts-googleapis.sandbox.google.com
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr String found in binary or memory: https://r2---sn-4g5ednse.gvt1.com
Source: data_3.4.dr String found in binary or memory: https://r2---sn-4g5ednse.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic?cms_redirect=yes&mh=I2&mip=84.17
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr String found in binary or memory: https://redirector.gvt1.com
Source: data_1.4.dr String found in binary or memory: https://redirector.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic
Source: manifest.json.1.dr, craw_window.js.1.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://ssl.gstatic.com
Source: messages.json27.1.dr, messages.json83.1.dr, messages.json19.1.dr, feedback.html.1.dr, messages.json80.1.dr, messages.json28.1.dr, messages.json72.1.dr, messages.json22.1.dr, messages.json73.1.dr, messages.json37.1.dr, messages.json77.1.dr, messages.json17.1.dr, messages.json29.1.dr, messages.json21.1.dr, messages.json61.1.dr, messages.json74.1.dr, messages.json60.1.dr, messages.json75.1.dr, messages.json85.1.dr, messages.json20.1.dr, messages.json38.1.dr, messages.json4.1.dr, messages.json87.1.dr, messages.json86.1.dr, messages.json76.1.dr, messages.json69.1.dr, messages.json18.1.dr, messages.json39.1.dr, messages.json15.1.dr, messages.json84.1.dr, messages.json49.1.dr, messages.json70.1.dr, messages.json46.1.dr, messages.json26.1.dr, messages.json68.1.dr, messages.json47.1.dr, messages.json12.1.dr, messages.json79.1.dr, messages.json59.1.dr, messages.json45.1.dr, messages.json71.1.dr, messages.json82.1.dr, messages.json36.1.dr, messages.json81.1.dr, messages.json78.1.dr, messages.json67.1.dr, messages.json11.1.dr, messages.json16.1.dr, messages.json.1.dr String found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json27.1.dr, messages.json83.1.dr, messages.json19.1.dr, feedback.html.1.dr, messages.json80.1.dr, messages.json28.1.dr, messages.json72.1.dr, messages.json22.1.dr, messages.json73.1.dr, messages.json37.1.dr, messages.json77.1.dr, messages.json17.1.dr, messages.json29.1.dr, messages.json21.1.dr, messages.json61.1.dr, messages.json74.1.dr, messages.json60.1.dr, messages.json75.1.dr, messages.json85.1.dr, messages.json20.1.dr, messages.json38.1.dr, messages.json4.1.dr, messages.json87.1.dr, messages.json86.1.dr, messages.json76.1.dr, messages.json69.1.dr, messages.json18.1.dr, messages.json39.1.dr, messages.json15.1.dr, messages.json84.1.dr, messages.json49.1.dr, messages.json70.1.dr, messages.json46.1.dr, messages.json26.1.dr, messages.json68.1.dr, messages.json47.1.dr, messages.json12.1.dr, messages.json79.1.dr, messages.json59.1.dr, messages.json45.1.dr, messages.json71.1.dr, messages.json82.1.dr, messages.json36.1.dr, messages.json81.1.dr, messages.json78.1.dr, messages.json67.1.dr, messages.json11.1.dr, messages.json16.1.dr, messages.json.1.dr String found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: craw_background.js.1.dr, craw_window.js.1.dr String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: manifest.json0.1.dr, 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://www.google.com
Source: manifest.json.1.dr String found in binary or memory: https://www.google.com/
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.1.dr String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: feedback_script.js.1.dr String found in binary or memory: https://www.google.com/tools/feedback
Source: manifest.json0.1.dr String found in binary or memory: https://www.google.com;
Source: craw_background.js.1.dr, 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, craw_window.js.1.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: mirroring_common.js.1.dr String found in binary or memory: https://www.googleapis.com/calendar/v3
Source: mirroring_common.js.1.dr String found in binary or memory: https://www.googleapis.com/hangouts/v1
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://www.gstatic.com
Source: common.js.1.dr String found in binary or memory: https://www.gstatic.com/hangouts_echo_detector/release/%
Source: manifest.json0.1.dr String found in binary or memory: https://www.gstatic.com;
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknown DNS traffic detected: queries for: clients2.google.com
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /aQ6mO5EsFPz/yh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: magnascakes.com.brConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /oqxIAZfo56z/yh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: sherwinclothing.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /utGI12nl/yh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: microtechzambia.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /asperioresab/rerumvel-6647201 HTTP/1.1Host: www.artforlife.lozhkin.foundationConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /asperioresab/contemporary-236025701.zip HTTP/1.1Host: www.artforlife.lozhkin.foundationConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=f287e90eb7e9bd7e2607d5e6083193ef
Source: unknown HTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.3:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.53.42.241:443 -> 192.168.2.3:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.4.29.152:443 -> 192.168.2.3:49783 version: TLS 1.2

System Summary:

barindex
Yara signature match
Source: C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu\favor-2069844189.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_04EB02A8 6_2_04EB02A8
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_04EB0298 6_2_04EB0298
Source: C:\Windows\SysWOW64\unarchiver.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,14176787574664726196,1403337882875848993,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1912 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1604,14176787574664726196,1403337882875848993,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4640 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\rerumvel-6647201.zip
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu" "C:\Users\user\Downloads\rerumvel-6647201.zip
Source: C:\Windows\SysWOW64\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu\favor-2069844189.xls
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,14176787574664726196,1403337882875848993,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1912 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1604,14176787574664726196,1403337882875848993,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4640 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\rerumvel-6647201.zip Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu" "C:\Users\user\Downloads\rerumvel-6647201.zip Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu\favor-2069844189.xls Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6312:120:WilError_01
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-619FD9CB-1A5C.pma Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\8be7b269-f603-41e6-b4ce-f049d9c78bf5.tmp Jump to behavior
Source: classification engine Classification label: mal52.expl.win@50/262@7/10
Source: C:\Windows\SysWOW64\cmd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_00C82A18 push ecx; ret 6_2_00C82A1A
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_00C82A91 push edi; ret 6_2_00C82A92
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_00C829E8 push ecx; ret 6_2_00C829EA
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_00C82A24 push eax; ret 6_2_00C82A3E
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_00C82AE5 push edi; ret 6_2_00C82AE6
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6400 Thread sleep count: 178 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6400 Thread sleep time: -89000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_00C8B042 GetSystemInfo, 6_2_00C8B042
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu\favor-2069844189.xls, type: DROPPED
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu" "C:\Users\user\Downloads\rerumvel-6647201.zip Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu\favor-2069844189.xls Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde Jump to behavior
Source: unarchiver.exe, 00000006.00000002.584717006.0000000001340000.00000002.00020000.sdmp, cmd.exe, 0000000C.00000002.585009224.0000000003C20000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: unarchiver.exe, 00000006.00000002.584717006.0000000001340000.00000002.00020000.sdmp, cmd.exe, 0000000C.00000002.585009224.0000000003C20000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: unarchiver.exe, 00000006.00000002.584717006.0000000001340000.00000002.00020000.sdmp, cmd.exe, 0000000C.00000002.585009224.0000000003C20000.00000002.00020000.sdmp Binary or memory string: Progman
Source: unarchiver.exe, 00000006.00000002.584717006.0000000001340000.00000002.00020000.sdmp, cmd.exe, 0000000C.00000002.585009224.0000000003C20000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528463 URL: http://www.artforlife.lozhk... Startdate: 25/11/2021 Architecture: WINDOWS Score: 52 62 Sigma detected: Microsoft Office Product Spawning Windows Shell 2->62 64 Document exploit detected (process start blacklist hit) 2->64 66 Yara detected hidden Macro 4.0 in Excel 2->66 9 chrome.exe 18 414 2->9         started        process3 dnsIp4 46 192.168.2.1 unknown unknown 9->46 48 239.255.255.250 unknown Reserved 9->48 40 C:\...\pnacl_public_x86_64_pnacl_sz_nexe, ELF 9->40 dropped 42 C:\...\pnacl_public_x86_64_pnacl_llc_nexe, ELF 9->42 dropped 44 C:\Users\user\...\pnacl_public_x86_64_ld_nexe, ELF 9->44 dropped 13 unarchiver.exe 5 9->13         started        15 chrome.exe 16 9->15         started        18 chrome.exe 1 1 9->18         started        file5 process6 dnsIp7 20 7za.exe 2 13->20         started        23 cmd.exe 7 2 13->23         started        56 www.artforlife.lozhkin.foundation 31.131.22.224, 49752, 49753, 80 VPS-UA-ASUA Ukraine 15->56 58 clients.l.google.com 142.250.203.110, 443, 49750, 56529 GOOGLEUS United States 15->58 60 5 other IPs or domains 15->60 process8 file9 38 C:\Users\user\...\favor-2069844189.xls, Composite 20->38 dropped 25 conhost.exe 20->25         started        27 EXCEL.EXE 23 38 23->27         started        30 conhost.exe 23->30         started        process10 dnsIp11 50 magnascakes.com.br 108.179.253.213, 443, 49781 UNIFIEDLAYER-AS-1US United States 27->50 52 microtechzambia.com 142.4.29.152, 443, 49783 UNIFIEDLAYER-AS-1US United States 27->52 54 sherwinclothing.in 103.53.42.241, 443, 49782 PUBLIC-DOMAIN-REGISTRYUS India 27->54 32 regsvr32.exe 27->32         started        34 regsvr32.exe 27->34         started        36 regsvr32.exe 27->36         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.53.42.241
 sherwinclothing.in India
394695 PUBLIC-DOMAIN-REGISTRYUS false
142.250.203.110
 clients.l.google.com United States
15169 GOOGLEUS false
172.217.168.45
 accounts.google.com United States
15169 GOOGLEUS false
31.131.22.224
 www.artforlife.lozhkin.foundation Ukraine
56851 VPS-UA-ASUA false
108.179.253.213
 magnascakes.com.br United States
46606 UNIFIEDLAYER-AS-1US false
142.250.203.97
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
142.4.29.152
 microtechzambia.com United States
46606 UNIFIEDLAYER-AS-1US false

Private
IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
microtechzambia.com 142.4.29.152 true
accounts.google.com 172.217.168.45 true
magnascakes.com.br 108.179.253.213 true
www.artforlife.lozhkin.foundation 31.131.22.224 true
sherwinclothing.in 103.53.42.241 true
clients.l.google.com 142.250.203.110 true
googlehosted.l.googleusercontent.com 142.250.203.97 true
clients2.googleusercontent.com unknown unknown
clients2.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://microtechzambia.com/utGI12nl/yh.html false
  • Avira URL Cloud: safe
 unknown
https://clients2.googleusercontent.com/crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx false
    		high
    https://magnascakes.com.br/aQ6mO5EsFPz/yh.html false
    • Avira URL Cloud: safe
    		 unknown
    http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201 false
      		unknown
      https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 false
        		high
        https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard false
          		high
          http://www.artforlife.lozhkin.foundation/asperioresab/contemporary-236025701.zip false
          • Avira URL Cloud: safe
          		 unknown
          https://sherwinclothing.in/oqxIAZfo56z/yh.html false
          • Avira URL Cloud: safe
          		 unknown