Windows Analysis Report
Untitled-09112022.xls

Overview

General Information

Sample Name: Untitled-09112022.xls
Analysis ID: 747191
MD5: 8079b54a0c76ba1fec822059aa22ea31
SHA1: c71c6fd2c68cc8746e778e907984927458a13ab8
SHA256: 9d0827721715ca365e0138d9a0bbef43bf209005605793b35e3e9b73337426a6
Infos:

Detection

Hidden Macro 4.0, Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
Office process drops PE file
Found Excel 4.0 Macro with suspicious formulas
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Drops files with a non-matching file extension (content does not match file extension)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Yara detected Xls With Macro 4.0
Connects to several IPs in different countries
Registers a DLL
Drops PE files to the user directory
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: Untitled-09112022.xls ReversingLabs: Detection: 46%
Source: Untitled-09112022.xls Virustotal: Detection: 61% Perma Link
Source: http://www.cecambrils.cat/wp-content/cXEhHssszV/ Avira URL Cloud: Label: malware
Source: http://www.stickers-et-deco.com/admin002vqimbe/hRFZkkzLIl/ Avira URL Cloud: Label: malware
Source: http://hsweixintp.com/wp-admin/4m1WxDxza6D8SVrfF/ Avira URL Cloud: Label: malware
Source: http://www.clinicaportalpsicologia.com.br/wp-includes/d6tkyFFBNwY/ Avira URL Cloud: Label: malware
Source: cecambrils.cat Virustotal: Detection: 7% Perma Link
Source: www.stickers-et-deco.com Virustotal: Detection: 12% Perma Link
Source: hsweixintp.com Virustotal: Detection: 14% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Ji8QgmpX3lS3yT[1].dll ReversingLabs: Detection: 69%
Source: C:\Users\user\elv1.ooocccxxx ReversingLabs: Detection: 69%
Source: C:\Windows\System32\FgEHLIiiJRN\xoEOackyxDExhQ.dll (copy) ReversingLabs: Detection: 69%
Source: 0000000B.00000002.1193361768.00000000001EA000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["172.105.115.71:8080", "218.38.121.17:443", "186.250.48.5:443", "103.71.99.57:8080", "85.214.67.203:8080", "85.25.120.45:8080", "139.196.72.155:8080", "103.85.95.4:8080", "198.199.70.22:8080", "209.239.112.82:8080", "78.47.204.80:443", "36.67.23.59:443", "104.244.79.94:443", "62.171.178.147:8080", "195.77.239.39:8080", "103.56.149.105:8080", "80.211.107.116:8080", "93.104.209.107:8080", "174.138.33.49:7080", "202.28.34.99:8080", "178.62.112.199:8080", "114.79.130.68:443", "118.98.72.86:443", "103.41.204.169:8080", "178.238.225.252:8080", "83.229.80.93:8080", "46.101.98.60:8080", "82.98.180.154:7080", "87.106.97.83:7080", "196.44.98.190:8080", "139.59.80.108:8080", "103.224.241.74:8080", "103.254.12.236:7080", "185.148.169.10:8080", "165.22.254.236:8080", "37.44.244.177:8080", "54.37.228.122:443", "51.75.33.122:443", "128.199.217.206:443", "188.165.79.151:443", "210.57.209.142:8080", "160.16.143.191:8080", "175.126.176.79:8080", "202.134.4.210:7080", "103.126.216.86:443", "190.145.8.4:443", "128.199.242.164:8080", "64.227.55.231:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU00LrOacIAAIg=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWzrrOacIAAJA="]}
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018004A020 CryptStringToBinaryA,CryptStringToBinaryA, 4_2_000000018004A020
Source: unknown HTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49179 version: TLS 1.0
Source: unknown HTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49184 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180029290 FindFirstFileExW, 4_2_0000000180029290
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002972C FindFirstFileExW,FindNextFileW,FindClose, 4_2_000000018002972C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 4_2_0000000180028B30
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 4_2_0000000180028B30
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021DA80 FindNextFileW,FindFirstFileW,FindClose, 6_2_0021DA80
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203DA80 FindNextFileW,FindFirstFileW,FindClose, 11_2_0203DA80

Software Vulnerabilities

barindex
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: Ji8QgmpX3lS3yT[1].dll.0.dr Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Ji8QgmpX3lS3yT[1].dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Source: global traffic DNS query: name: hsweixintp.com
Source: global traffic DNS query: name: hsweixintp.com
Source: global traffic DNS query: name: www.stickers-et-deco.com
Source: global traffic DNS query: name: www.cecambrils.cat
Source: global traffic DNS query: name: www.clinicaportalpsicologia.com.br
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 163.172.108.69:80
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 185.23.117.132:80
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 187.1.136.16:80

Networking

barindex
Source: C:\Windows\System32\regsvr32.exe Network Connect: 115.178.55.22 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 172.105.115.71 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 218.38.121.17 443 Jump to behavior
Source: Traffic Snort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.2.22:49179 -> 218.38.121.17:443
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.22:49175 -> 115.178.55.22:80
Source: Malware configuration extractor IPs: 172.105.115.71:8080
Source: Malware configuration extractor IPs: 218.38.121.17:443
Source: Malware configuration extractor IPs: 186.250.48.5:443
Source: Malware configuration extractor IPs: 103.71.99.57:8080
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 85.25.120.45:8080
Source: Malware configuration extractor IPs: 139.196.72.155:8080
Source: Malware configuration extractor IPs: 103.85.95.4:8080
Source: Malware configuration extractor IPs: 198.199.70.22:8080
Source: Malware configuration extractor IPs: 209.239.112.82:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 36.67.23.59:443
Source: Malware configuration extractor IPs: 104.244.79.94:443
Source: Malware configuration extractor IPs: 62.171.178.147:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 103.56.149.105:8080
Source: Malware configuration extractor IPs: 80.211.107.116:8080
Source: Malware configuration extractor IPs: 93.104.209.107:8080
Source: Malware configuration extractor IPs: 174.138.33.49:7080
Source: Malware configuration extractor IPs: 202.28.34.99:8080
Source: Malware configuration extractor IPs: 178.62.112.199:8080
Source: Malware configuration extractor IPs: 114.79.130.68:443
Source: Malware configuration extractor IPs: 118.98.72.86:443
Source: Malware configuration extractor IPs: 103.41.204.169:8080
Source: Malware configuration extractor IPs: 178.238.225.252:8080
Source: Malware configuration extractor IPs: 83.229.80.93:8080
Source: Malware configuration extractor IPs: 46.101.98.60:8080
Source: Malware configuration extractor IPs: 82.98.180.154:7080
Source: Malware configuration extractor IPs: 87.106.97.83:7080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 139.59.80.108:8080
Source: Malware configuration extractor IPs: 103.224.241.74:8080
Source: Malware configuration extractor IPs: 103.254.12.236:7080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 165.22.254.236:8080
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 51.75.33.122:443
Source: Malware configuration extractor IPs: 128.199.217.206:443
Source: Malware configuration extractor IPs: 188.165.79.151:443
Source: Malware configuration extractor IPs: 210.57.209.142:8080
Source: Malware configuration extractor IPs: 160.16.143.191:8080
Source: Malware configuration extractor IPs: 175.126.176.79:8080
Source: Malware configuration extractor IPs: 202.134.4.210:7080
Source: Malware configuration extractor IPs: 103.126.216.86:443
Source: Malware configuration extractor IPs: 190.145.8.4:443
Source: Malware configuration extractor IPs: 128.199.242.164:8080
Source: Malware configuration extractor IPs: 64.227.55.231:8080
Source: Joe Sandbox View ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View JA3 fingerprint: 8c4a22651d328568ec66382a84fc505f
Source: global traffic HTTP traffic detected: POST /kwxkonang/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 357Host: 218.38.121.17
Source: global traffic HTTP traffic detected: POST /tfvz/aazuhijovhmgjyf/frsdlxdmvshfvd/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 280Host: 218.38.121.17
Source: Joe Sandbox View IP Address: 172.105.115.71 172.105.115.71
Source: Joe Sandbox View IP Address: 188.165.79.151 188.165.79.151
Source: unknown HTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49179 version: TLS 1.0
Source: unknown HTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49184 version: TLS 1.0
Source: global traffic HTTP traffic detected: GET /wp-admin/4m1WxDxza6D8SVrfF/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hsweixintp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /admin002vqimbe/hRFZkkzLIl/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.stickers-et-deco.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/cXEhHssszV/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.cecambrils.catConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-includes/d6tkyFFBNwY/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.clinicaportalpsicologia.com.brConnection: Keep-Alive
Source: unknown Network traffic detected: IP country count 21
Source: unknown Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown Network traffic detected: HTTP traffic on port 49179 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 16 Nov 2022 04:43:18 GMTServer: Apache/2.4.46 (FreeBSD) OpenSSL/1.0.2u-freebsdStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-UA-Compatible: IE=edge,chrome=1P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"Powered-By: PrestaShopStatus: 404 Not FoundSet-Cookie: PrestaShop-76bfdce226b740dc1298019a18e61155=454f5619c2242a2b3d522efeae2f6c48a578aba8c10278d9f2d8899a3fcad222%3A7VXP1JRg6sMvuxPANoFERLi7pCnrxsYqh8BZef4CZlrnQztM92Sg9jLq7GIDevQzzQ9P0reTobhVinLo3QJBWkBFdKI37ltxfwgwuTELet01SKQ4bMLcAdkfSwCEuWEVYtW0yeVouVHIO8jPqvQEHfrz8a8OziW2SVas17jQLdQ%3D; expires=Tue, 06-Dec-2022 04:43:18 GMT; Max-Age=1728000; path=/; domain=www.stickers-et-deco.com; httponlyVary: User-AgentConnection: keep-alive, Keep-AliveKeep-Alive: timeout=5, max=100Transfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 35 61 31 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 20 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 6c 74 2d 69 65 38 20 6c 74 2d 69 65 37 22 20 6c 61 6e 67 3d 22 66 72 2d 66 72 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 20 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 6c 74 2d 69 65 38 20 69 65 37 22 20 6c 61 6e 67 3d 22 66 72 2d 66 72 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 20 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 69 65 38 22 20 6c 61 6e 67 3d 22 66 72 2d 66 72 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 20 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 39 22 20 6c 61 6e 67 3d 22 66 72 2d 66 72 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 66 72 2d 66 72 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 3c 74 69 74 6c Data Ascii: 5a11<!DOCTYPE HTML> <!--[if lt IE 7]><html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="fr-fr"><![endif]--> <!--[if IE 7]><html class="no-js lt-ie9 lt-ie8 ie7" lang="fr-fr"><![endif]--> <!--[if IE 8]><html class="no-js lt-ie9 ie8" lang="fr-fr"><![endif]--> <!--[if gt IE 8]><html class="no-js ie9" lang="fr-fr"><![endif]--><html lang="fr-fr"><head><meta charset="utf-8" /><titl
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 16 Nov 2022 04:39:49 GMTServer: ApacheStrict-Transport-Security: max-age=63072000;X-Content-Type-Options: nosniffLast-Modified: Wed, 04 Jul 2018 11:59:53 GMTETag: "400-5702b2b206040"Accept-Ranges: bytesContent-Length: 1024X-Powered-By: PleskLinKeep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/htmlData Raw: 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 42 41 53 45 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 5f 64 6f 63 73 2f 22 3e 3c 21 2d 2d 5b 69 66 20 6c 74 65 20 49 45 20 36 5d 3e 3c 2f 42 41 53 45 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 64 6f 63 75 6d 65 6e 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 50 3e 0a 3c 48 52 3e 0a 3c 41 44 44 52 45 53 53 3e 0a 57 65 62 20 53 65 72 76 65 72 20 61 74 20 63 65 63 61 6d 62 72 69 6c 73 2e 63 61 74 0a 3c 2f 41 44 44 52 45 53 53 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0a 3c 21 2d 2d 0a 20 20 20 2d 20 55 6e 66 6f 72 74 75 6e 61 74 65 6c 79 2c 20 4d 69 63 72 6f 73 6f 66 74 20 68 61 73 20 61 64 64 65 64 20 61 20 63 6c 65 76 65 72 20 6e 65 77 0a 20 20 20 2d 20 22 66 65 61 74 75 72 65 22 20 74 6f 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 2e 20 49 66 20 74 68 65 20 74 65 78 74 20 6f 66 0a 20 20 20 2d 20 61 6e 20 65 72 72 6f 72 27 73 20 6d 65 73 73 61 67 65 20 69 73 20 22 74 6f 6f 20 73 6d 61 6c 6c 22 2c 20 73 70 65 63 69 66 69 63 61 6c 6c 79 0a 20 20 20 2d 20 6c 65 73 73 20 74 68 61 6e 20 35 31 32 20 62 79 74 65 73 2c 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 72 65 74 75 72 6e 73 0a 20 20 20 2d 20 69 74 73 20 6f 77 6e 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 2e 20 59 6f 75 20 63 61 6e 20 74 75 72 6e 20 74 68 61 74 20 6f 66 66 2c 0a 20 20 20 2d 20 62 75 74 20 69 74 27 73 20 70 72 65 74 74 79 20 74 72 69 63 6b 79 20 74 6f 20 66 69 6e 64 20 73 77 69 74 63 68 20 63 61 6c 6c 65 64 0a 20 20 20 2d 20 22 73 6d 61 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 22 2e 20 54 68 61 74 20 6d 65 61 6e 73 2c 20 6f 66 20 63 6f 75 72 73 65 2c 0a 20 20 20 2d 20 74 68 61 74 20 73 68 6f 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 20 61 72 65 20 63 65 6e 73 6f 72 65 64 20 62 79 20 64 65 66 61 75 6c 74 2e 0a 20 20 20 2d 20 49 49 53 20 61 6c 77 61 79 73 20 72 65 74 75 72 6e 73 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 20 74 68 61 74 20 61 72 65 20 6c 6f 6e 67 0a 20 20 20 2d 20 65 6e 6f 75 67 68 20 74 6f 20 6d 61 6b 65 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 68 61 70 70 79 2e 20 54 68 65 0a 20 20 20 2d 20 77 6f 72 6b 61 72 6f 75 6e 64 20 69 73 20 70 72 65 74 74 79 20 73 69 6d 70 6c 65 3a 20 70 61 64 20 74 68 65 20 65 72 72 6f 72 0a 20 20 20 2d 20 6d 65 73 73 61 67 65 20 77 69 74 68 20 61 20 62 69 67 20 63 6f 6d
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 16 Nov 2022 04:43:21 GMTServer: ApacheContent-Length: 380Keep-Alive: timeout=5, max=500Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 53 65 72 76 65 72 20 75 6e 61 62 6c 65 20 74 6f 20 72 65 61 64 20 68 74 61 63 63 65 73 73 20 66 69 6c 65 2c 20 64 65 6e 79 69 6e 67 20 61 63 63 65 73 73 20 74 6f 20 62 65 20 73 61 66 65 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.Server unable to read htaccess file, denying access to be safe</p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 115.178.55.22
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 172.105.115.71
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: 4DF60000.0.dr String found in binary or memory: http://hsweixintp.com/wp-admin/4m1WxDxza6D8SVrfF/
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: 4DF60000.0.dr String found in binary or memory: http://www.cecambrils.cat/wp-content/cXEhHssszV/
Source: 4DF60000.0.dr String found in binary or memory: http://www.clinicaportalpsicologia.com.br/wp-includes/d6tkyFFBNwY/
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: 4DF60000.0.dr String found in binary or memory: http://www.stickers-et-deco.com/admin002vqimbe/hRFZkkzLIl/
Source: regsvr32.exe, 00000006.00000003.1002662490.0000000000381000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://115.178.55.22:80/kwxkonang/
Source: regsvr32.exe, 0000000B.00000003.1150324980.0000000000271000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://115.178.55.22:80/tfvz/aazuhijovhmgjyf/frsdlxdmvshfvd/
Source: regsvr32.exe, 00000006.00000003.1015548706.0000000000379000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://172.105.115.71:8080/kwxkonang/
Source: regsvr32.exe, 0000000B.00000003.1163475701.0000000000270000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://172.105.115.71:8080/tfvz/aazuhijovhmgjyf/frsdlxdmvshfvd/
Source: regsvr32.exe, 00000006.00000003.1034450302.000000000037C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1193565866.000000000037C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://218.38.121.17/kwxkonang/
Source: regsvr32.exe, 0000000B.00000002.1193461003.000000000026E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://218.38.121.17/tfvz/aazuhijovhmgjyf/frsdlxdmvshfvd/
Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: unknown HTTP traffic detected: POST /kwxkonang/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 357Host: 218.38.121.17
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Ji8QgmpX3lS3yT[1].dll Jump to behavior
Source: unknown DNS traffic detected: queries for: hsweixintp.com
Source: global traffic HTTP traffic detected: GET /wp-admin/4m1WxDxza6D8SVrfF/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hsweixintp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /admin002vqimbe/hRFZkkzLIl/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.stickers-et-deco.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/cXEhHssszV/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.cecambrils.catConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-includes/d6tkyFFBNwY/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.clinicaportalpsicologia.com.brConnection: Keep-Alive

E-Banking Fraud

barindex
Source: Yara match File source: 0000000B.00000002.1193361768.00000000001EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1193452350.00000000002FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 11.2.regsvr32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.920122880.0000000002011000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.920051864.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1193389765.0000000000211000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1193544536.0000000002031000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1193348564.0000000000160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1193467860.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: Untitled-09112022.xls Macro extractor: Sheet: Sheet7 contains: URLDownloadToFileA
Source: Untitled-09112022.xls Macro extractor: Sheet: Sheet7 contains: URLDownloadToFileA
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Ji8QgmpX3lS3yT[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\elv1.ooocccxxx Jump to dropped file
Source: Untitled-09112022.xls Initial sample: EXEC
Source: Untitled-09112022.xls Initial sample: EXEC
Source: Untitled-09112022.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\Untitled-09112022.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\4DF60000, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\FgEHLIiiJRN\ Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180044C30 4_2_0000000180044C30
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180031018 4_2_0000000180031018
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800391F8 4_2_00000001800391F8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180020204 4_2_0000000180020204
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001F22C 4_2_000000018001F22C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018003D23C 4_2_000000018003D23C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180029290 4_2_0000000180029290
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180024460 4_2_0000000180024460
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001F4B0 4_2_000000018001F4B0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800204D0 4_2_00000001800204D0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018003459C 4_2_000000018003459C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018003B5A0 4_2_000000018003B5A0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800305F8 4_2_00000001800305F8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180017604 4_2_0000000180017604
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001F74C 4_2_000000018001F74C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180032824 4_2_0000000180032824
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180037854 4_2_0000000180037854
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002B890 4_2_000000018002B890
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000A93C 4_2_000000018000A93C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018003A9A0 4_2_000000018003A9A0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001F9B4 4_2_000000018001F9B4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180026A0C 4_2_0000000180026A0C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180028B30 4_2_0000000180028B30
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002B890 4_2_000000018002B890
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001FC30 4_2_000000018001FC30
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180031C3C 4_2_0000000180031C3C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180028B30 4_2_0000000180028B30
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018003AE50 4_2_000000018003AE50
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001FF10 4_2_000000018001FF10
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180032F94 4_2_0000000180032F94
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_002B0000 4_2_002B0000
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02020310 4_2_02020310
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020138A5 4_2_020138A5
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020348E0 4_2_020348E0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201B1E0 4_2_0201B1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02019E38 4_2_02019E38
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02030454 4_2_02030454
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02038C94 4_2_02038C94
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02015DB4 4_2_02015DB4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02014DDC 4_2_02014DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02038A04 4_2_02038A04
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202FA08 4_2_0202FA08
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02011A1C 4_2_02011A1C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201BA24 4_2_0201BA24
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02031A2C 4_2_02031A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02029230 4_2_02029230
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02022244 4_2_02022244
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02012A7C 4_2_02012A7C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202827C 4_2_0202827C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02032A84 4_2_02032A84
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02019298 4_2_02019298
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202629C 4_2_0202629C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0203629C 4_2_0203629C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201EAC4 4_2_0201EAC4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02017AF0 4_2_02017AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202B2F0 4_2_0202B2F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02025B18 4_2_02025B18
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02035B28 4_2_02035B28
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202D32C 4_2_0202D32C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02025334 4_2_02025334
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02037348 4_2_02037348
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02014B4C 4_2_02014B4C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02011B5C 4_2_02011B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02016B5C 4_2_02016B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02011364 4_2_02011364
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201C364 4_2_0201C364
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201E368 4_2_0201E368
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201CB88 4_2_0201CB88
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202FB88 4_2_0202FB88
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02023B88 4_2_02023B88
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02032B8C 4_2_02032B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201F3E0 4_2_0201F3E0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02013BE8 4_2_02013BE8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02019BEC 4_2_02019BEC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02027BF8 4_2_02027BF8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020273F8 4_2_020273F8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02011000 4_2_02011000
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201E828 4_2_0201E828
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02012834 4_2_02012834
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0203005C 4_2_0203005C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201D864 4_2_0201D864
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02016880 4_2_02016880
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202308C 4_2_0202308C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202B898 4_2_0202B898
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02034098 4_2_02034098
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020210AC 4_2_020210AC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020248B0 4_2_020248B0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020178B6 4_2_020178B6
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201B8D0 4_2_0201B8D0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020138DC 4_2_020138DC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020298DC 4_2_020298DC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02022110 4_2_02022110
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02039124 4_2_02039124
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02012128 4_2_02012128
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02030930 4_2_02030930
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02019144 4_2_02019144
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02020954 4_2_02020954
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201F174 4_2_0201F174
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202C974 4_2_0202C974
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02027198 4_2_02027198
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020259A0 4_2_020259A0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201D1AC 4_2_0201D1AC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020169C0 4_2_020169C0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201D1C6 4_2_0201D1C6
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201A1D4 4_2_0201A1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020179D8 4_2_020179D8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202C1DC 4_2_0202C1DC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020299E8 4_2_020299E8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020199EC 4_2_020199EC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202E614 4_2_0202E614
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201BE34 4_2_0201BE34
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02016650 4_2_02016650
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202AE50 4_2_0202AE50
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02011660 4_2_02011660
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02021664 4_2_02021664
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201C676 4_2_0201C676
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201CE7E 4_2_0201CE7E
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02034680 4_2_02034680
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201AE84 4_2_0201AE84
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02038690 4_2_02038690
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02017694 4_2_02017694
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02025694 4_2_02025694
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02023698 4_2_02023698
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201569C 4_2_0201569C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02037EA4 4_2_02037EA4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020196B8 4_2_020196B8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02028ECC 4_2_02028ECC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201E708 4_2_0201E708
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201871C 4_2_0201871C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02031728 4_2_02031728
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202CF30 4_2_0202CF30
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201A734 4_2_0201A734
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201FF64 4_2_0201FF64
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202E76C 4_2_0202E76C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02028778 4_2_02028778
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02022780 4_2_02022780
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02018FA0 4_2_02018FA0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02024FA4 4_2_02024FA4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020297AC 4_2_020297AC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020347B0 4_2_020347B0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020357B4 4_2_020357B4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02023FE0 4_2_02023FE0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02025400 4_2_02025400
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02033C0C 4_2_02033C0C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201741C 4_2_0201741C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02024C48 4_2_02024C48
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02026464 4_2_02026464
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02015478 4_2_02015478
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0203748C 4_2_0203748C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201C498 4_2_0201C498
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02014CA0 4_2_02014CA0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201D4B2 4_2_0201D4B2
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02011CCC 4_2_02011CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020184F8 4_2_020184F8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_020364F8 4_2_020364F8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201BD00 4_2_0201BD00
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02025508 4_2_02025508
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02028D0C 4_2_02028D0C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202B520 4_2_0202B520
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02019D24 4_2_02019D24
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02023524 4_2_02023524
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02033D28 4_2_02033D28
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202F550 4_2_0202F550
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02030D54 4_2_02030D54
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02028560 4_2_02028560
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02039568 4_2_02039568
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201E570 4_2_0201E570
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02035D84 4_2_02035D84
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02015590 4_2_02015590
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02021DAC 4_2_02021DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00130000 6_2_00130000
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00219E38 6_2_00219E38
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022FA08 6_2_0022FA08
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00212A7C 6_2_00212A7C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00232CBC 6_2_00232CBC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021DA80 6_2_0021DA80
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00225694 6_2_00225694
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002348E0 6_2_002348E0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002138DC 6_2_002138DC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00220310 6_2_00220310
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022D718 6_2_0022D718
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022E76C 6_2_0022E76C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00219144 6_2_00219144
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00215DB4 6_2_00215DB4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002357B4 6_2_002357B4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021B1E0 6_2_0021B1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00213BE8 6_2_00213BE8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002273F8 6_2_002273F8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00214DDC 6_2_00214DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021BA24 6_2_0021BA24
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021E828 6_2_0021E828
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00231A2C 6_2_00231A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00229230 6_2_00229230
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021BE34 6_2_0021BE34
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00212834 6_2_00212834
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00211000 6_2_00211000
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00225400 6_2_00225400
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00238A04 6_2_00238A04
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00233C0C 6_2_00233C0C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022E614 6_2_0022E614
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00211A1C 6_2_00211A1C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021741C 6_2_0021741C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00211660 6_2_00211660
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021D864 6_2_0021D864
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00226464 6_2_00226464
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00221664 6_2_00221664
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00215478 6_2_00215478
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022827C 6_2_0022827C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00222244 6_2_00222244
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00224C48 6_2_00224C48
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00216650 6_2_00216650
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022AE50 6_2_0022AE50
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00230454 6_2_00230454
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021C659 6_2_0021C659
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0023005C 6_2_0023005C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00214CA0 6_2_00214CA0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00237EA4 6_2_00237EA4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002210AC 6_2_002210AC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002248B0 6_2_002248B0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021D4B2 6_2_0021D4B2
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002178B6 6_2_002178B6
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002196B8 6_2_002196B8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00216880 6_2_00216880
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00234680 6_2_00234680
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021AE84 6_2_0021AE84
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00232A84 6_2_00232A84
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022308C 6_2_0022308C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0023748C 6_2_0023748C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00238690 6_2_00238690
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00217694 6_2_00217694
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00238C94 6_2_00238C94
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00219298 6_2_00219298
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021C498 6_2_0021C498
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022B898 6_2_0022B898
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00223698 6_2_00223698
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00234098 6_2_00234098
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021569C 6_2_0021569C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022629C 6_2_0022629C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0023629C 6_2_0023629C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00217AF0 6_2_00217AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022B2F0 6_2_0022B2F0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002184F8 6_2_002184F8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002364F8 6_2_002364F8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021EAC4 6_2_0021EAC4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00211CCC 6_2_00211CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00228ECC 6_2_00228ECC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021B8D0 6_2_0021B8D0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002298DC 6_2_002298DC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022B520 6_2_0022B520
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00219D24 6_2_00219D24
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00223524 6_2_00223524
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00239124 6_2_00239124
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00212128 6_2_00212128
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00231728 6_2_00231728
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00233D28 6_2_00233D28
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00235B28 6_2_00235B28
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022D32C 6_2_0022D32C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022CF30 6_2_0022CF30
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00230930 6_2_00230930
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021A734 6_2_0021A734
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00225334 6_2_00225334
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021BD00 6_2_0021BD00
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021E708 6_2_0021E708
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00225508 6_2_00225508
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00228D0C 6_2_00228D0C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00222110 6_2_00222110
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00225B18 6_2_00225B18
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021871C 6_2_0021871C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00228560 6_2_00228560
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00211364 6_2_00211364
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021FF64 6_2_0021FF64
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021C364 6_2_0021C364
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021E368 6_2_0021E368
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00239568 6_2_00239568
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021E570 6_2_0021E570
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021F174 6_2_0021F174
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022C974 6_2_0022C974
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00228778 6_2_00228778
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00237348 6_2_00237348
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00214B4C 6_2_00214B4C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022F550 6_2_0022F550
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00220954 6_2_00220954
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00230D54 6_2_00230D54
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00216B5C 6_2_00216B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00211B5C 6_2_00211B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00218FA0 6_2_00218FA0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002259A0 6_2_002259A0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00224FA4 6_2_00224FA4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021D1AC 6_2_0021D1AC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002297AC 6_2_002297AC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00221DAC 6_2_00221DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002347B0 6_2_002347B0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00222780 6_2_00222780
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00235D84 6_2_00235D84
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022FB88 6_2_0022FB88
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00223B88 6_2_00223B88
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00232B8C 6_2_00232B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00215590 6_2_00215590
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00227198 6_2_00227198
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021F3E0 6_2_0021F3E0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00223FE0 6_2_00223FE0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002299E8 6_2_002299E8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002199EC 6_2_002199EC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00219BEC 6_2_00219BEC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00227BF8 6_2_00227BF8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002169C0 6_2_002169C0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021D1C6 6_2_0021D1C6
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021A1D4 6_2_0021A1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_002179D8 6_2_002179D8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0022C1DC 6_2_0022C1DC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_002E0000 11_2_002E0000
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204FA08 11_2_0204FA08
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02039E38 11_2_02039E38
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203DA80 11_2_0203DA80
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020338A5 11_2_020338A5
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02052CBC 11_2_02052CBC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020548E0 11_2_020548E0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02040310 11_2_02040310
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204D718 11_2_0204D718
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02039144 11_2_02039144
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02032F53 11_2_02032F53
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204E76C 11_2_0204E76C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020557B4 11_2_020557B4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02035DB4 11_2_02035DB4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02034DDC 11_2_02034DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203B1E0 11_2_0203B1E0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02033BE8 11_2_02033BE8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020473F8 11_2_020473F8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02058A04 11_2_02058A04
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02031000 11_2_02031000
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02045400 11_2_02045400
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02053C0C 11_2_02053C0C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204E614 11_2_0204E614
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02031A1C 11_2_02031A1C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203741C 11_2_0203741C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203BA24 11_2_0203BA24
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02051A2C 11_2_02051A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203E828 11_2_0203E828
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02049230 11_2_02049230
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203BE34 11_2_0203BE34
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02032834 11_2_02032834
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02042244 11_2_02042244
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02044C48 11_2_02044C48
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02050454 11_2_02050454
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02036650 11_2_02036650
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204AE50 11_2_0204AE50
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0205005C 11_2_0205005C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203C659 11_2_0203C659
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02046464 11_2_02046464
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02041664 11_2_02041664
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02031660 11_2_02031660
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203D864 11_2_0203D864
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204827C 11_2_0204827C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02035478 11_2_02035478
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02032A7C 11_2_02032A7C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02052A84 11_2_02052A84
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02036880 11_2_02036880
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02054680 11_2_02054680
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203AE84 11_2_0203AE84
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204308C 11_2_0204308C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0205748C 11_2_0205748C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02045694 11_2_02045694
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02058C94 11_2_02058C94
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02058690 11_2_02058690
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02037694 11_2_02037694
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204629C 11_2_0204629C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0205629C 11_2_0205629C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02039298 11_2_02039298
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203C498 11_2_0203C498
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204B898 11_2_0204B898
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02043698 11_2_02043698
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02054098 11_2_02054098
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203569C 11_2_0203569C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02057EA4 11_2_02057EA4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02034CA0 11_2_02034CA0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020410AC 11_2_020410AC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203D4B2 11_2_0203D4B2
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020448B0 11_2_020448B0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020378B6 11_2_020378B6
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020396B8 11_2_020396B8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203EAC4 11_2_0203EAC4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02048ECC 11_2_02048ECC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02031CCC 11_2_02031CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203B8D0 11_2_0203B8D0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020498DC 11_2_020498DC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020338DC 11_2_020338DC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02037AF0 11_2_02037AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204B2F0 11_2_0204B2F0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020384F8 11_2_020384F8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020564F8 11_2_020564F8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02032B00 11_2_02032B00
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203BD00 11_2_0203BD00
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02048D0C 11_2_02048D0C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203E708 11_2_0203E708
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02045508 11_2_02045508
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02042110 11_2_02042110
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02045B18 11_2_02045B18
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203871C 11_2_0203871C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02043524 11_2_02043524
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02059124 11_2_02059124
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204B520 11_2_0204B520
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02039D24 11_2_02039D24
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204D32C 11_2_0204D32C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02032128 11_2_02032128
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02051728 11_2_02051728
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02053D28 11_2_02053D28
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02055B28 11_2_02055B28
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02045334 11_2_02045334
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204CF30 11_2_0204CF30
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02050930 11_2_02050930
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203A734 11_2_0203A734
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02057348 11_2_02057348
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02034B4C 11_2_02034B4C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02040954 11_2_02040954
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02050D54 11_2_02050D54
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204F550 11_2_0204F550
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02036B5C 11_2_02036B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02031B5C 11_2_02031B5C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02048560 11_2_02048560
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02031364 11_2_02031364
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203FF64 11_2_0203FF64
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203C364 11_2_0203C364
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203E368 11_2_0203E368
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02059568 11_2_02059568
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204C974 11_2_0204C974
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203E570 11_2_0203E570
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203F174 11_2_0203F174
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02048778 11_2_02048778
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02055D84 11_2_02055D84
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02042780 11_2_02042780
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02052B8C 11_2_02052B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204FB88 11_2_0204FB88
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02043B88 11_2_02043B88
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02035590 11_2_02035590
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02047198 11_2_02047198
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02044FA4 11_2_02044FA4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02038FA0 11_2_02038FA0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020459A0 11_2_020459A0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020497AC 11_2_020497AC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02041DAC 11_2_02041DAC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203D1AC 11_2_0203D1AC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020547B0 11_2_020547B0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020369C0 11_2_020369C0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203D1C6 11_2_0203D1C6
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203A1D4 11_2_0203A1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0204C1DC 11_2_0204C1DC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020379D8 11_2_020379D8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203F3E0 11_2_0203F3E0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02043FE0 11_2_02043FE0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020499E8 11_2_020499E8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_020399EC 11_2_020399EC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02039BEC 11_2_02039BEC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_02047BF8 11_2_02047BF8
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000000018002CA30 appears 48 times
Source: Untitled-09112022.xls ReversingLabs: Detection: 46%
Source: Untitled-09112022.xls Virustotal: Detection: 61%
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
Source: unknown Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\elv1.ooocccxxx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR4AB5.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@12/10@5/53
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Untitled-09112022.xls OLE indicator, Workbook stream: true
Source: Untitled-09112022.xls.0.dr OLE indicator, Workbook stream: true
Source: 4DF60000.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02015DB4 CloseHandle,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW, 4_2_02015DB4
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Untitled-09112022.xls Initial sample: OLE indicators vbamacros = False
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800131BD push rdi; ret 4_2_00000001800131C4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180013749 push rdi; ret 4_2_0000000180013752
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02033A7E push ebp; ret 4_2_02033A86
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0201838C push eax; ret 4_2_0201838E
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02033BE1 push ebp; ret 4_2_02033BE4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202E0D3 push 09B8E1F7h; retf 4_2_0202E0DD
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202E0E9 push 8B48E1F7h; retf 4_2_0202E0F1
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02033127 push ebp; ret 4_2_02033128
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02032E55 push ebp; retf 4_2_02032E56
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02032F5E push ebp; ret 4_2_02032F64
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0202E5C5 pushad ; ret 4_2_0202E5C7
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021838C push eax; ret 6_2_0021838E
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203838C push eax; ret 11_2_0203838E
Source: Ji8QgmpX3lS3yT[1].dll.0.dr Static PE information: section name: _RDATA
Source: elv1.ooocccxxx.0.dr Static PE information: section name: _RDATA
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\elv1.ooocccxxx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Ji8QgmpX3lS3yT[1].dll Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\FgEHLIiiJRN\xoEOackyxDExhQ.dll (copy) Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\elv1.ooocccxxx Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\FgEHLIiiJRN\xoEOackyxDExhQ.dll (copy) Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\elv1.ooocccxxx Jump to dropped file

Boot Survival

barindex
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xoEOackyxDExhQ.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\elv1.ooocccxxx Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xoEOackyxDExhQ.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xoEOackyxDExhQ.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2888 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2888 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Ji8QgmpX3lS3yT[1].dll Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe API coverage: 9.1 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180029290 FindFirstFileExW, 4_2_0000000180029290
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002972C FindFirstFileExW,FindNextFileW,FindClose, 4_2_000000018002972C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 4_2_0000000180028B30
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 4_2_0000000180028B30
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0021DA80 FindNextFileW,FindFirstFileW,FindClose, 6_2_0021DA80
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0203DA80 FindNextFileW,FindFirstFileW,FindClose, 11_2_0203DA80
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180003460 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002DE88 GetProcessHeap, 4_2_000000018002DE88
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180003460 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180003648 SetUnhandledExceptionFilter, 4_2_0000000180003648
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800156F8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00000001800156F8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180002E94 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0000000180002E94

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\regsvr32.exe Network Connect: 115.178.55.22 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 172.105.115.71 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 218.38.121.17 443 Jump to behavior
Source: Yara match File source: C:\Users\user\Desktop\4DF60000, type: DROPPED
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 4_2_0000000180035058
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 4_2_0000000180035118
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 4_2_000000018002C360
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 4_2_0000000180035364
Source: C:\Windows\System32\regsvr32.exe Code function: try_get_function,GetLocaleInfoW, 4_2_000000018002D3CC
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 4_2_000000018002C40C
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 4_2_000000018002C488
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_00000001800354BC
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 4_2_0000000180035590
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_00000001800356BC
Source: C:\Windows\System32\regsvr32.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 4_2_0000000180034BB8
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 4_2_0000000180034F04
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesW, 4_2_0000000180034F88
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800243D0 cpuid 4_2_00000001800243D0
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002D450 try_get_function,GetSystemTimeAsFileTime, 4_2_000000018002D450

Stealing of Sensitive Information

barindex
Source: Yara match File source: 0000000B.00000002.1193361768.00000000001EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1193452350.00000000002FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 11.2.regsvr32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.920122880.0000000002011000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.920051864.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1193389765.0000000000211000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1193544536.0000000002031000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1193348564.0000000000160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1193467860.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs