Windows Analysis Report
H 05072022.xls

Overview

General Information

Sample Name:	H 05072022.xls
Analysis ID:	672716
MD5:	f0e821a13f85dad72bb345b2dd7c93e7
SHA1:	17b0e4f2bc946eb3c0f7deb0da78d5db58836a0c
SHA256:	3db2ab1966f944f46e4cb802f2d4e71d407d989766c20809d232552fe55d29d1
Infos:

Detection

Hidden Macro 4.0, Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Document exploit detected (creates forbidden files)

Antivirus detection for URL or domain

Found malicious Excel 4.0 Macro

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Office process drops PE file

Found Excel 4.0 Macro with suspicious formulas

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Potential document exploit detected (unknown TCP traffic)

PE file contains an invalid checksum

Drops PE files

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Drops PE files to the user directory

Found large amount of non-executed APIs

Potential document exploit detected (performs HTTP gets)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: H 05072022.xls	Virustotal: Detection: 64%	Perma Link
Source: H 05072022.xls	Metadefender: Detection: 37%	Perma Link
Source: H 05072022.xls	ReversingLabs: Detection: 80%

Antivirus detection for URL or domain

Source: http://www.fundaciontheoz.cl/pensamientooccidental/tilKftYVgHoCu4pp/	Avira URL Cloud: Label: malware
Source: http://www.clinicaportalpsicologia.com.br/wp-content/rknwta6Ncgt9xnXu7S/	Avira URL Cloud: Label: malware
Source: https://174.138.33.49/F	Avira URL Cloud: Label: malware
Source: https://flywithme.dk/wp-includes/xFbL/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: flywithme.dk	Virustotal: Detection: 9%	Perma Link
Source: fundaciontheoz.cl	Virustotal: Detection: 16%	Perma Link
Source: www.fundaciontheoz.cl	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\yXlTTXSuSsUlL[1].dll	Metadefender: Detection: 48%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\yXlTTXSuSsUlL[1].dll	ReversingLabs: Detection: 88%
Source: C:\Users\user\hhdt1.ocx	Metadefender: Detection: 48%	Perma Link
Source: C:\Users\user\hhdt1.ocx	ReversingLabs: Detection: 88%
Source: C:\Windows\System32\IBmjgOoh\HPiQbOm.dll (copy)	Metadefender: Detection: 48%	Perma Link
Source: C:\Windows\System32\IBmjgOoh\HPiQbOm.dll (copy)	ReversingLabs: Detection: 88%

Source: 00000004.00000002.1198679946.00000000002FA000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["174.138.33.49:7080", "188.165.79.151:443", "196.44.98.190:8080", "5.253.30.17:7080", "190.145.8.4:443", "54.37.228.122:443", "128.199.217.206:443", "175.126.176.79:8080", "104.248.225.227:8080", "54.37.106.167:8080", "198.199.70.22:8080", "139.59.80.108:8080", "103.85.95.4:8080", "165.232.185.110:8080", "103.224.241.74:8080", "178.62.112.199:8080", "178.238.225.252:8080", "62.171.178.147:8080", "202.134.4.210:7080", "103.71.99.57:8080", "103.41.204.169:8080", "139.196.72.155:8080", "188.225.32.231:4143", "87.106.97.83:7080", "103.126.216.86:443", "37.44.244.177:8080", "64.227.55.231:8080", "93.104.209.107:8080", "103.56.149.105:8080", "43.129.209.178:443", "202.29.239.162:443", "210.57.209.142:8080", "83.229.80.93:8080", "85.25.120.45:8080", "190.107.19.179:443", "157.230.99.206:8080", "195.77.239.39:8080", "36.67.23.59:443", "104.244.79.94:443", "118.98.72.86:443", "37.187.114.15:8080", "46.101.98.60:8080", "85.214.67.203:8080", "165.22.254.236:8080", "157.245.111.0:8080", "128.199.242.164:8080", "202.28.34.99:8080", "88.217.172.165:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0rse5dX4AAJA=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWq8e5dX4AAIg="]}

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: unknown	HTTPS traffic detected: 41.204.199.147:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 94.231.103.133:443 -> 192.168.2.22:49173 version: TLS 1.2

Source: global traffic	DNS query: name: greenlizard.co.za
Source: global traffic	DNS query: name: www.clinicaportalpsicologia.com.br
Source: global traffic	DNS query: name: flywithme.dk
Source: global traffic	DNS query: name: www.fundaciontheoz.cl

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 41.204.199.147:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 94.231.103.133:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 187.1.136.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 162.240.65.124:80

Source: Malware configuration extractor	IPs: 174.138.33.49:7080
Source: Malware configuration extractor	IPs: 188.165.79.151:443
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 5.253.30.17:7080
Source: Malware configuration extractor	IPs: 190.145.8.4:443
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 128.199.217.206:443
Source: Malware configuration extractor	IPs: 175.126.176.79:8080
Source: Malware configuration extractor	IPs: 104.248.225.227:8080
Source: Malware configuration extractor	IPs: 54.37.106.167:8080
Source: Malware configuration extractor	IPs: 198.199.70.22:8080
Source: Malware configuration extractor	IPs: 139.59.80.108:8080
Source: Malware configuration extractor	IPs: 103.85.95.4:8080
Source: Malware configuration extractor	IPs: 165.232.185.110:8080
Source: Malware configuration extractor	IPs: 103.224.241.74:8080
Source: Malware configuration extractor	IPs: 178.62.112.199:8080
Source: Malware configuration extractor	IPs: 178.238.225.252:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 202.134.4.210:7080
Source: Malware configuration extractor	IPs: 103.71.99.57:8080
Source: Malware configuration extractor	IPs: 103.41.204.169:8080
Source: Malware configuration extractor	IPs: 139.196.72.155:8080
Source: Malware configuration extractor	IPs: 188.225.32.231:4143
Source: Malware configuration extractor	IPs: 87.106.97.83:7080
Source: Malware configuration extractor	IPs: 103.126.216.86:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 64.227.55.231:8080
Source: Malware configuration extractor	IPs: 93.104.209.107:8080
Source: Malware configuration extractor	IPs: 103.56.149.105:8080
Source: Malware configuration extractor	IPs: 43.129.209.178:443
Source: Malware configuration extractor	IPs: 202.29.239.162:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 83.229.80.93:8080
Source: Malware configuration extractor	IPs: 85.25.120.45:8080
Source: Malware configuration extractor	IPs: 190.107.19.179:443
Source: Malware configuration extractor	IPs: 157.230.99.206:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 36.67.23.59:443
Source: Malware configuration extractor	IPs: 104.244.79.94:443
Source: Malware configuration extractor	IPs: 118.98.72.86:443
Source: Malware configuration extractor	IPs: 37.187.114.15:8080
Source: Malware configuration extractor	IPs: 46.101.98.60:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 165.22.254.236:8080
Source: Malware configuration extractor	IPs: 157.245.111.0:8080
Source: Malware configuration extractor	IPs: 128.199.242.164:8080
Source: Malware configuration extractor	IPs: 202.28.34.99:8080
Source: Malware configuration extractor	IPs: 88.217.172.165:8080

Source: global traffic	HTTP traffic detected: GET /amanah/HJErj/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: greenlizard.co.zaConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/xFbL/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: flywithme.dkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/rknwta6Ncgt9xnXu7S/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.clinicaportalpsicologia.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pensamientooccidental/tilKftYVgHoCu4pp/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.fundaciontheoz.clConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Jul 2022 08:27:29 GMTServer: ApacheX-Powered-By: PHP/5.6.40Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://flywithme.dk/wp-json/>; rel="https://api.w.org/"Content-Security-Policy: upgrade-insecure-requests;Upgrade: h2Connection: Upgrade, closeX-Content-Type-Options: nosniffSimplyCom-Server: ApacheTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Jul 2022 08:27:26 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.clinicaportalpsicologia.com.br/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipVary: Accept-EncodingSet-Cookie: Q-nRfEyNzlwbYUeh=AmQW%5B1; expires=Tue, 26-Jul-2022 08:27:26 GMT; Max-Age=86400; path=/Set-Cookie: LQXvDnbCi_V=T.IyOvg1ts; expires=Tue, 26-Jul-2022 08:27:26 GMT; Max-Age=86400; path=/Set-Cookie: fUqbTznEhHt=fEc%2A5lYHuAJ; expires=Tue, 26-Jul-2022 08:27:26 GMT; Max-Age=86400; path=/Set-Cookie: N_LhVXTlKtQ=%5B8zbNWgVGME7R; expires=Tue, 26-Jul-2022 08:27:26 GMT; Max-Age=86400; path=/Keep-Alive: timeout=5, max=500Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 64 34 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 5a cd 92 db 38 92 3e 77 3d 05 8b 8e a9 12 c7 24 45 52 ff 52 cb dd ee 6a f7 ec a1 7b da e1 72 c7 c6 84 cb 51 01 91 90 44 9b 24 d8 00 54 2a 8d 5c 0f 33 b1 a7 39 cc 69 8e 7b d8 83 1f 68 5f 61 13 20 29 52 14 f5 ef 89 e8 99 1d 47 59 12 81 cc 2f 13 99 89 44 26 a4 ff fd ef ff f9 fa f2 fb 9f 6f de fe e9 f5 2b 65 ca c3 e0 c5 c5 d7 e2 4d 09 50 34 19 aa 31 37 be 7b a3 2a 31 c5 63 ff 71 a8 92 49 1f 88 78 dc af d7 c9 24 36 43 5c 8f d8 33 55 71 03 c4 d8 50 8d 88 f1 81 a9 2f 2e 00 01 23 4f bc 87 98 23 c5 9d 22 ca 30 1f aa bf bc fd c1 e8 aa 4a 1d 44 70 9f 07 f8 c5 eb cf 7f 99 f8 11 52 a2 cf ff 45 14 1c b9 24 e2 14 79 48 31 94 9b e0 f3 df 22 df 45 8a 87 95 98 f9 2e 09 c8 c4 47 0a 0e 95 9f 19 62 2e d1 73 8a d7 84 72 14 28 af 73 aa 8c 44 0c 7d fe 3b 8c 11 56 e4 94 94 31 f6 d0 84 4c 10 83 67 7f 45 b7 ce e3 47 63 14 71 3f 50 5c c4 40 c2 18 85 9f ff 16 00 be ef 11 46 80 91 a4 80 a0 f7 03 8e 7c a2 8f 40 7b 2c 87 50 e8 07 3a 00 70 4c c3 cf 7f f5 40 cf af eb c9 9a 53 a3 44 28 c4 c3 6b 4a 46 84 b3 6b 81 c0 71 c4 87 d7 21 7a 34 fc 10 4d b0 01 26 7f f0 f1 bc 1f 20 3a c1 d7 d2 68 39 a3 3a 26 34 44 dc f0 30 c7 2e f7 49 a4 ae 20 54 8e 03 1c 4f 49 84 87 11 51 d7 b9 04 60 0c e6 2a 50 cf 7d 8f 4f 87 1e c8 72 b1 21 1f 84 da 3e f7 51 60 30 17 05 78 68 27 1e 0b fc e8 a3 42 71 30 54 d9 14 20 dc 19 57 c0 8c 20 78 0a b1 31 54 45 54 30 08 8b f9 7c 6e ba 40 0b 2b 8e a5 63 72 ef 99 2e 09 cd 11 ad cf 63 23 15 5f 9f c5 01 41 1e ab 3b 96 dd ad 5b dd 7a 46 4c 0c 1c 1a 89 79 8d d5 18 cb Data Ascii: 1d41Z8>w=$ERRj{rQD$T\39i{h_a )RGY/D&o+eMP417{1cqIx$6C\3UqP/.#O#"0JDpRE$yH1"E.Gb.sr(sD};V1LgEGcq?P\@F\|@{,P:pL@SD(kJFkq!z4M& :h9:&4D0.I TOIQ`*P}Or!>Q`0xh'Bq0T W x1TET0\|n@+cr.c#_A;[zFLy
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Jul 2022 08:27:31 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.fundaciontheoz.cl/wp-json/>; rel="https://api.w.org/"Set-Cookie: _learn_press_session_15e189b8b9570bad712e7dad4bf24da9=26f3617e47267a989187cbc2d8babc7c%7C%7C1658910451%7C%7Ce0d9bab5f1332bd3818d6e7c5ac2efa0; expires=Wed, 27-Jul-2022 08:27:31 GMT; Max-Age=172799; path=/; secureSet-Cookie: _wordpress_lp_guest=6db20933f83edee9a34774ce481c44f9; expires=Mon, 25-Jul-2022 09:27:32 GMT; Max-Age=3600; path=/; secureKeep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 64 61 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 66 75 6e 64 61 63 69 6f 6e 74 68 65 6f 7a 2e 63 6c 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 75 6e 66 69 6e 69 74 79 70 6c 75 73 2f 69 6e 66 75 73 69 6f 6e 2f 66 72 61 6d 65 77 6f 72 6b 2f 66 73 73 2f 63 73 73 2f 66 73 73 2d 72 65 73 65 74 2d 67 6c 6f 62 61 6c 2e 63 73 73 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 66 75 6e 64 61 63 69 6f 6e 74 68 65 6f 7a 2e 63 6c 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 75 6e 66 69 6e 69 74 79 70 6c 75 73 2f 69 6e 66 75 73 69 6f 6e 2f 66 72 61 6d 65 77 6f 72 6b 2f 66 73 73 2f 63 73 73 2f 66 73 73 2d 62 61 73 65 2d 67 6c 6f 62 61 6c 2e 63 73 73 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 Data Ascii: 1da8<!doctype html><html lang="es"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="http://gmpg.org/xfn/11"><link rel="stylesheet" type="text/css" media="all" href="http://www.fundaciontheoz.cl/wp-content/themes/unfinityplus/infusion/framework/fss/css/fss-reset-global.css" /><link rel="stylesheet" type="text/css" media="all"

Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49
Source: unknown	TCP traffic detected without corresponding DNS query: 174.138.33.49

Source: regsvr32.exe, 00000004.00000002.1199025968.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000002.1199025968.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000002.1199025968.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000002.1199025968.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000002.1199025968.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000002.1199025968.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000004.00000002.1199003581.0000000002D90000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000004.00000003.974282903.000000000037E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.1198822487.000000000037E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
Source: regsvr32.exe, 00000004.00000002.1199003581.0000000002D90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/eno
Source: regsvr32.exe, 00000004.00000002.1199025968.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000002.1199025968.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000002.1199025968.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000002.1199025968.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000002.1199025968.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000004.00000002.1199025968.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000002.1199025968.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000004.00000002.1199025968.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000002.1199025968.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000004.00000003.974282903.000000000037E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.1198822487.000000000037E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49/
Source: regsvr32.exe, 00000004.00000003.974282903.000000000037E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.1198822487.000000000037E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49/F
Source: regsvr32.exe, 00000004.00000002.1199003581.0000000002D90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://174.138.33.49:7080/
Source: regsvr32.exe, 00000004.00000002.1199025968.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: Yara match	File source: 3.2.regsvr32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.914740891.0000000000160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1198622373.0000000000150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.915078556.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1199191486.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Screenshot number: 4	Screenshot OCR: Enable Editing and click Enable Content. 1 " 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1
Source: Screenshot number: 4	Screenshot OCR: Enable Content. 1 " 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

Source: H 05072022.xls	Macro extractor: Sheet: Sheet7 contains: URLDownloadToFileA
Source: H 05072022.xls	Macro extractor: Sheet: Sheet7 contains: URLDownloadToFileA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\yXlTTXSuSsUlL[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\hhdt1.ocx			Jump to dropped file

Source: H 05072022.xls	Initial sample: EXEC
Source: H 05072022.xls	Initial sample: EXEC

Source: H 05072022.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\H 05072022.xls, type: DROPPED	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 000007FEF70417C6 appears 85 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 000007FEF7041861 appears 208 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 000007FEF70E54C8 appears 46 times

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\hhdt1.ocx
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IBmjgOoh\HPiQbOm.dll"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\hhdt2.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\hhdt3.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\hhdt4.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\hhdt1.ocx	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\hhdt2.ocx	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\hhdt3.ocx	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\hhdt4.ocx	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IBmjgOoh\HPiQbOm.dll"	Jump to behavior

Source: H 05072022.xls	OLE indicator, Workbook stream: true
Source: H 05072022.xls.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: hhdt1.ocx.0.dr	Static PE information: real checksum: 0xdba5b should be: 0xe1d25
Source: yXlTTXSuSsUlL[1].dll.0.dr	Static PE information: real checksum: 0xdba5b should be: 0xe1d25

Windows Analysis Report H 05072022.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
H 05072022.xls

Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\IBmjgOoh\HPiQbOm.dll (copy)	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\yXlTTXSuSsUlL[1].dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\hhdt1.ocx	Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe TID: 672	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2020	Thread sleep time: -300000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000007FEF70E4FD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_000007FEF70E4FD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000007FEF70E4FD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_000007FEF70E4FD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000007FEF708930C SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_000007FEF708930C

Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale,GetLocaleInfoEx,GetACP,_lock,free,_lock,__freetlocinfo,free,	3_2_000007FEF70864D8
Source: C:\Windows\System32\regsvr32.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,free,	3_2_000007FEF7088F14
Source: C:\Windows\System32\regsvr32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_000007FEF709AF38
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoEx,	3_2_000007FEF70E4F38
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,WideCharToMultiByte,free,	3_2_000007FEF709ADDC
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,CompareStringEx,	3_2_000007FEF7095750
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoEx,	3_2_000007FEF70955DC
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	3_2_000007FEF7095528
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoEx,	3_2_000007FEF709F2CB
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_getptd,GetLocaleInfoEx,	3_2_000007FEF70950BC

IP	Domain	Country	ASN	ASN Name	Malicious
157.230.99.206	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
187.1.136.16	web15f04.uni5.net	Brazil	28299	IPV6InternetLtdaBR	false
94.231.103.133	flywithme.dk	Denmark	48854	ZITCOMDK	true
188.165.79.151	unknown	France	16276	OVHFR	true
196.44.98.190	unknown	Ghana	327814	EcobandGH	true
41.204.199.147	greenlizard.co.za	South Africa	37153	xneeloZA	false
174.138.33.49	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
43.129.209.178	unknown	Japan	4249	LILLY-ASUS	true
103.41.204.169	unknown	Indonesia	58397	INFINYS-AS-IDPTInfinysSystemIndonesiaID	true
36.67.23.59	unknown	Indonesia	17974	TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID	true
5.253.30.17	unknown	Latvia	18978	ENZUINC-US	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
83.229.80.93	unknown	United Kingdom	8513	SKYVISIONGB	true
198.199.70.22	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
93.104.209.107	unknown	Germany	8767	MNET-ASGermanyDE	true
188.225.32.231	unknown	Russian Federation	9123	TIMEWEB-ASRU	true
175.126.176.79	unknown	Korea Republic of	9523	MOKWON-AS-KRMokwonUniversityKR	true
128.199.242.164	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true
104.248.225.227	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
178.238.225.252	unknown	Germany	51167	CONTABODE	true
190.145.8.4	unknown	Colombia	14080	TelmexColombiaSACO	true
46.101.98.60	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
103.71.99.57	unknown	India	135682	AWDHPL-AS-INAdvikaWebDevelopmentsHostingPvtLtdIN	true
87.106.97.83	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
103.85.95.4	unknown	Indonesia	136077	IDNIC-UNSRAT-AS-IDUniversitasIslamNegeriMataramID	true
202.134.4.210	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
88.217.172.165	unknown	Germany	8767	MNET-ASGermanyDE	true
165.22.254.236	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
118.98.72.86	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
139.59.80.108	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
104.244.79.94	unknown	United States	53667	PONYNETUS	true
157.245.111.0	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
54.37.106.167	unknown	France	16276	OVHFR	true
202.29.239.162	unknown	Thailand	4621	UNINET-AS-APUNINET-TH	true
103.56.149.105	unknown	Indonesia	55688	BEON-AS-IDPTBeonIntermediaID	true
85.25.120.45	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
37.187.114.15	unknown	France	16276	OVHFR	true
139.196.72.155	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true
165.232.185.110	unknown	United States	22255	ALLEGHENYHEALTHNETWORKUS	true
103.126.216.86	unknown	Bangladesh	138482	SKYVIEW-AS-APSKYVIEWONLINELTDBD	true
128.199.217.206	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	true
103.224.241.74	unknown	India	133296	WEBWERKS-AS-INWebWerksIndiaPvtLtdIN	true
210.57.209.142	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
190.107.19.179	unknown	Colombia	27951	MediaCommercePartnersSACO	true
202.28.34.99	unknown	Thailand	9562	MSU-TH-APMahasarakhamUniversityTH	true
54.37.228.122	unknown	France	16276	OVHFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
162.240.65.124	fundaciontheoz.cl	United States	46606	UNIFIEDLAYER-AS-1US	false
178.62.112.199	unknown	European Union	14061	DIGITALOCEAN-ASNUS	true
62.171.178.147	unknown	United Kingdom	51167	CONTABODE	true
64.227.55.231	unknown	United States	14061	DIGITALOCEAN-ASNUS	true

Name	Malicious	Antivirus Detection	Reputation
http://www.fundaciontheoz.cl/pensamientooccidental/tilKftYVgHoCu4pp/	true	Avira URL Cloud: malware	unknown
https://greenlizard.co.za/amanah/HJErj/	false		high
http://www.clinicaportalpsicologia.com.br/wp-content/rknwta6Ncgt9xnXu7S/	true	Avira URL Cloud: malware	unknown
https://flywithme.dk/wp-includes/xFbL/	true	Avira URL Cloud: malware	unknown

ID:	672716
Product:	CloudBasic
Start time:	10:26:28
Start date:	25.07.2022
Sample:	H 05072022.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	f0e821a13f85dad72bb345b2dd7c93e7
SHA1:	17b0e4f2bc946eb3c0f7deb0da78d5db58836a0c
SHA256:	3db2ab1966f944f46e4cb802f2d4e71d407d989766c20809d232552fe55d29d1
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61712 bytes, 1 file	589C442FC7A0C70DCA927115A700D41E	66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31	2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	C991C19E8D15CAF9758901EDF96338BC	61336A2EFF0941E2439C2EB0F79E4EB50317C574	E8D3D1DBE4935E7CD89E8CA7DD2A52293D283A4E1AE3371297A20B6CD2505DD0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\yXlTTXSuSsUlL[1].dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	F9D1267D676A07BDBE45D5AF1A441FA5	8E0F99516E221AE4B9211FBD8A07B3994DF316F4	ED6259EF96A5E0A6B307BF09AF89B4971B852FD4B5A9D057985E01269C6AA3A0
C:\Users\user\AppData\Local\Temp\CabFD8B.tmp	Microsoft Cabinet archive data, 61712 bytes, 1 file	589C442FC7A0C70DCA927115A700D41E	66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31	2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
C:\Users\user\AppData\Local\Temp\TarFD8C.tmp	data	7EE994C83F2744D702CBA18693ED1758	17EAA8A28E7ABF096E97537EFE25A34CD7C1FD80	5DB917AB6DC8A42A43617850DFBE2C7F26A7F810B229B349E9DD2A2D615671D2
C:\Users\user\AppData\Local\Temp\~DFA0671C06642878FC.TMP	data	8530B135A20972641134AAF4F27062F1	788C03DAA9FC128D0914040B2C854CF5723BB53C	D503F5193BC0AE33E9EF2B05CB8371BEF59327B2BC916FF95A045059AAC98A76
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\0YFQWFX4.txt	ASCII text	451E368D90A5616B7D31B6E56CA14F64	839C7A7101D6CCBB91C5BEAD9770AAACE43E7F6D	E877C3F259F9E962335505ECEF154F26BDDF4C0C31CB8484B0137B27A8F9AE17
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\EFJ0ZBQX.txt	ASCII text	45652F9C96F20A55DCC3ABB8705E4DB7	69331C2C152DC742B1786D1205E3344B5C637102	20C71F55AFF7D3D24E2ACCF6C13DDF225B1932FF9B33B965EF7C3937EF60FD42
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\FXDAJZ6O.txt	ASCII text	863A84C5D1C40AEE8147FB5EAECED1A5	156585AD4E099F2E030B09DA1D818744DDB1D3DD	91CDAFADDB76577074C930DA3B2EC31EE6417AB81894939C8732861FB94308D5
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\K835MCGT.txt	ASCII text	E39DDF74A1C1C4C8D3289C6C4D0DDA6D	0990B22C9BE6AFA37AE33D728A440BDFC8227D7B	AF8D649B8BDCF1CC83ED5A2538EBB07865D4C2829BCE51CA924E067133652176
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\WSZS7JSI.txt	ASCII text	786AE891C79B2D8056990BCD7C179767	9D07A6256C1A33BB581BC285BB4D840F825E39EE	EB6771367092B0D4B9B42C2B5E6BC2B27EDD995DF8C339BA0D3D891D119E0066
C:\Users\user\Desktop\H 05072022.xls	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Dream, Last Saved By: RGSGK, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Mon Jul 4 19:02:55 2022, Security: 0	4EC93C6A9B3054DCD1AB4816CF74F264	0B32D21AD411FA4AB0544FA2918A3D7E0CBCF792	3A54F92B5A70D3FFC87AB03F67C9730B7811BDB7309D66DD1C2D44EDA80A47EB
C:\Users\user\hhdt1.ocx	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	F9D1267D676A07BDBE45D5AF1A441FA5	8E0F99516E221AE4B9211FBD8A07B3994DF316F4	ED6259EF96A5E0A6B307BF09AF89B4971B852FD4B5A9D057985E01269C6AA3A0
C:\Windows\System32\IBmjgOoh\HPiQbOm.dll (copy)	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	F9D1267D676A07BDBE45D5AF1A441FA5	8E0F99516E221AE4B9211FBD8A07B3994DF316F4	ED6259EF96A5E0A6B307BF09AF89B4971B852FD4B5A9D057985E01269C6AA3A0