Source: Process started | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2960, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, ProcessId: 5048 |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe | Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries | Jump to behavior |
Source: C:\Program Files\Google\Chrome\Application\chrome.exe | Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic | Jump to behavior |
Source: C:\Windows\SysWOW64\unarchiver.exe | File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll |
Source: unknown | HTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.3:49803 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 103.53.42.241:443 -> 192.168.2.3:49804 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 142.4.29.152:443 -> 192.168.2.3:49805 version: TLS 1.2 |
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE | Process created: C:\Windows\SysWOW64\regsvr32.exe |
Source: C:\Windows\SysWOW64\unarchiver.exe | Code function: 4x nop then jmp 019309B7h |
Source: C:\Windows\SysWOW64\unarchiver.exe | Code function: 4x nop then jmp 019309B6h |
Source: global traffic | HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 25 Nov 2021 10:04:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 157x-powered-by: PHP/7.4.25set-cookie: PHPSESSID=459f13144c1235550078ac9c92f00c00; path=/expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cachecontent-encoding: gzipvary: Accept-Encodingx-turbo-charged-by: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 2d 8e 41 0e 82 30 10 45 af d2 74 53 58 d8 1e c0 a1 89 26 2e 3c 81 eb d2 69 64 02 74 0a 0c 24 78 7a 03 ba 7b f9 8b f7 1f 74 32 0e 1e 5a c6 dd 03 d2 a6 08 1b 9d 7b ad 50 2e b9 6f b4 9b 56 46 2e 42 ec 62 17 66 59 ec 87 8a f6 e0 90 36 0f 4b 9c a9 88 1f 38 06 21 ce b6 04 e9 72 18 93 6a 14 72 5c c7 94 c5 be 93 3c 86 74 e0 7d 7f 62 65 72 6f ea 63 bc 89 cc d4 ae 92 2a 73 7e 99 fa 0a ee 2f 04 f7 0b 72 67 dd 2b 90 58 6b bf 89 48 4c 09 ab 00 00 00 Data Ascii: -A0EtSX&.<idt$xz{t2Z{P.oVF.BbfY6K8!rjr\<t}beroc*s~/rg+XkHL |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49766 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49765 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49742 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49762 |
Source: unknown | Network traffic detected: HTTP traffic on port 49742 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49766 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49767 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49762 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49765 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49804 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49768 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49803 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49805 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49739 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49805 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49804 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49803 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49768 |
Source: unknown | Network traffic detected: HTTP traffic on port 49739 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49767 |
Source: global traffic | HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Server: BitNinja Captcha ServerDate: Thu, 25 Nov 2021 10:03:54 GMTContent-Length: 13768Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6a 6f 6f 6d 6c 61 2c 20 4a 6f 6f 6d 6c 61 2c 20 6a 6f 6f 6d 6c 61 20 31 2e 35 2c 20 77 6f 72 64 70 72 65 73 73 20 32 2e 35 2c 20 44 72 75 70 61 6c 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 20 31 2e 35 20 2d 20 4f 70 65 6e 20 53 6f 75 72 63 65 20 43 6f 6e 74 65 6e 74 20 4d 61 6e 61 67 65 6d 65 6e 74 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 57 6f 72 64 50 72 65 73 73 20 32 2e 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 57 61 69 74 69 6e 67 20 66 6f 72 20 74 68 65 20 72 65 64 69 72 65 63 74 69 72 6f 6e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7 |